I thought that ESQL used JDBC prepared statements, regardless of whether you have bound parameters;
That's right
> while it won't protect you fully, won't it throw
an exception if it receives two queries (which this attack results in)?
AFAIK - not necessarily ...as with all JDBC stuff this probably depends on the driver implementation :-/
Perhaps I'm wrong on this point. It isn't ideal, but if your dynamic SQL is only doing selects, and only against data that isn't sensitive, then the worst case scenario is perhaps an attack that slows your server down (and the attacker would have to know a good deal about your schema to do that). If I'm wrong about this JDBC behavior, then I probably need to look at some stuff, too!
I fear you are wrong... ...but please try and report back.
In general:
For a safe design request values should NEVER appear inside an esql:query tag except when surrounded by esql:parameter!
cheers -- Torsten
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
