Re: binding params in dynamic queries in ESQL

Fri, 05 Mar 2004 14:06:19 -0800 



I thought that ESQL used JDBC prepared statements, regardless of whether
you have bound parameters; while it won't protect you fully, won't it throw
an exception if it receives two queries (which this attack results in)?
Perhaps I'm wrong on this point.  It isn't ideal, but if your dynamic SQL
is only doing selects, and only against data that isn't sensitive, then the
worst case scenario is perhaps an attack that slows your server down (and
the attacker would have to know a good deal about your schema to do that).
If I'm wrong about this JDBC behavior, then I probably need to look at some
stuff, too!

-Christopher



|---------+---------------------------->
|         |           Geoff Howard     |
|         |           <[EMAIL PROTECTED]|
|         |           eb.com>          |
|         |                            |
|         |           03/05/2004 04:45 |
|         |           PM               |
|         |           Please respond to|
|         |           users            |
|         |                            |
|---------+---------------------------->
  
>--------------------------------------------------------------------------------------------------------------|
  |                                                                                    
                          |
  |       To:       [EMAIL PROTECTED]                                                  
                    |
  |       cc:                                                                          
                          |
  |       Subject:  Re: binding params in dynamic queries in ESQL                      
                          |
  
>--------------------------------------------------------------------------------------------------------------|




Geoff Howard wrote:

>
> How are you protecting against SQL Injection attacks?
> <esql:query>select * from foo where foo.x =
> '<xsp-request:get-parameter name="bar"/>'</esql:query>
>
> if you take myVar in any way from a request parameter, what happens if
> I pass in a value like bar=abc;delete%20from%20foo (try it on your app).


Oops, changed my example without changing all references - myVar is
supposed to be bar obviously.

I don't have many soapboxes but this is one of them - I have inherited
applications crippled by problems like this.

Geoff



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
























					Reply via email to