Well, for what it's worth, using Oracle's jdbc drivers and putting a second query in the esql:query block results in this error:
java.sql.SQLException: ORA-00911: invalid character
Ok
I separated the two queries using ";", which is presumably the invalid character Oracle is complaining about. I can't imagine any other way of separating the two queries. Any thoughts?
No, sounds you are pretty safe then
I can't find anything in the java docs for java.sql.Connection.prepareStatement() that specifically forbids having multiple queries, so you may be right about it being driver dependent.
IIRC I was able to reproduce an injection ...but that was about 2 years ago - I cannot remember the database and driver I was using.
Anyway, the thing is: we cannot rely on the driver's behaviour - so it's not recommended. But just like in your case you *can* be safe.
Makes me think... maybe we should include some testcases for the behaviour... I'll put that on my TODO list.
Our app seems to be pretty safe from this particular attack, regardless. We actually run the query through another parser (too long to explain why) that results in only one query getting executed, regardless of what is in the query block (I had to work around this to get a good test and produce the exception noted above). I also looked hard (since I was looking) at every possible way I could mess with the query parameters to modify the way the SQL executes, but it appears that we do enough stuff to the request parameters (stripping quotes, parsing into integers, etc.) that there isn't much hacking possible. (Hopefully nobody will take this as a challenge, but notice I'm NOT listing any URLs for my app here!)
;)
Of course, all of our update/delete queries are using bound parameters!
good :)
cheers -- Torsten
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
