Given:
SELECT * FROM ACCOUNT WHERE USERNAME = ? and PASSWORD = ?
Consider that without prepared statements it would likely be implemented like this:
String username = "cbegin";
String password = "barnacle"
String sql = "SELECT * FROM ACCOUNT WHERE USERNAME = '" + username + "' AND PASSWORD = '" + password + "'";
Now consider what would happen if the password was this:
String password = "xxxxx' OR USERNAME = 'cbegin";
You'd end up with the SQL statement:
SELECT * FROM ACCOUNT WHERE USERNAME = 'cbegin' AND PASSWORD = 'xxxxx' OR USERNAME = 'cbegin'
In Microsoft SQL Server, this would load the ACCOUNT record without the password.
iBATIS protects against this by always using PreparedStatement, but if you use $substitutions$ in you statements, be very careful!
Cheers,
Clinton
On 7/9/05, Nathan Maves <[EMAIL PROTECTED]> wrote:
I was asked the question "What is SQL injection and how can I avoid it?"
I understand it to a point but an example would be great.
Nathan
On Jul 5, 2005, at 7:01 AM, Larry Meadors wrote:
> Yes, it does pass the SQL directly to the driver, but unless you use
> the $$ syntax for parameters, you should be safe with iBATIS.
>
> The $$ syntax is the only part of iBATIS that allows string
> concatenation, which is the biggest source of SQL injection attacks.
>
> If you are using a really crappy jdbc driver, you could have issues
> with it somehow botching things in it's implementation of prepared
> statements, but I have not heard of a single case of that happening.
>
> Larry
>
>
> On 7/5/05, Fabrizio Gianneschi
> < [EMAIL PROTECTED]> wrote:
>
>>
>> Since iBatis uses PreparedStatements a lot, it's safer than old
>> school JDBC
>> code, even if it's still vulnerable because it passes the SQL
>> directly to
>> the driver without checking, afaik. You can always use some good
>> tricks to
>> increase the robustness of your SQL, but...
>>
>> ...this type of checking is not responsibility of a SQL mapper
>> layer like
>> iBATIS.
>> I think you should check your user input in higher server side
>> layers, such
>> as the presentation one; Struts Actions and/or ActionForms, for
>> example.
>>
>> Fab
>>
>> ________________________________
>> Da: Pham Anh Tuan [mailto:[EMAIL PROTECTED]]
>> Inviato: martedì 5 luglio 2005 12.16
>> A: iBatis
>> Oggetto: [HELP] Whether or not iBatis support SQL Injection?
>>
>>
>>
>> Hi all,
>>
>> I don't know whether or not iBatis support checking SQL Injection
>> or not ?
>>
>> plz help me :)
>>
>> Pham
>
