Well, for what it's worth, using Oracle's jdbc drivers and putting a second query in the esql:query block results in this error:
java.sql.SQLException: ORA-00911: invalid character
I separated the two queries using ";", which is presumably the invalid character Oracle is complaining about. I can't imagine any other way of separating the two queries. Any thoughts?
I can't find anything in the java docs for java.sql.Connection.prepareStatement() that specifically forbids having multiple queries, so you may be right about it being driver dependent.
Our app seems to be pretty safe from this particular attack, regardless. We actually run the query through another parser (too long to explain why) that results in only one query getting executed, regardless of what is in the query block (I had to work around this to get a good test and produce the exception noted above). I also looked hard (since I was looking) at every possible way I could mess with the query parameters to modify the way the SQL executes, but it appears that we do enough stuff to the request parameters (stripping quotes, parsing into integers, etc.) that there isn't much hacking possible. (Hopefully nobody will take this as a challenge, but notice I'm NOT listing any URLs for my app here!)
Of course, all of our update/delete queries are using bound parameters!
-Christopher
| Torsten Curdt <[EMAIL PROTECTED]>
Sent by: news <[EMAIL PROTECTED]> 03/05/2004 09:15 PM
|
To: [EMAIL PROTECTED] cc: Subject: Re: binding params in dynamic queries in ESQL |
> I thought that ESQL used JDBC prepared statements, regardless of whether
> you have bound parameters;
That's right
> while it won't protect you fully, won't it throw
> an exception if it receives two queries (which this attack results in)?
AFAIK - not necessarily ...as with all JDBC stuff
this probably depends on the driver implementation :-/
> Perhaps I'm wrong on this point. It isn't ideal, but if your dynamic SQL
> is only doing selects, and only against data that isn't sensitive, then the
> worst case scenario is perhaps an attack that slows your server down (and
> the attacker would have to know a good deal about your schema to do that).
> If I'm wrong about this JDBC behavior, then I probably need to look at some
> stuff, too!
I fear you are wrong...
...but please try and report back.
In general:
For a safe design request values should
NEVER appear inside an esql:query tag
except when surrounded by esql:parameter!
cheers
--
Torsten
