Hi
On 25/06/13 10:16, nikosdim wrote:
Hi
I am currently on my way to give a try to the FIQL SQL and I was wondering
if the code below is SQL injection safe? If not is there any way to protect
ourselves from SQL injection attacks?
SearchCondition<Book> sc = searchContext.getCondition(Book.class);
SQLPrinterVisitor<Book> visitor = new SQLPrinterVisitor<Book>("table");
sc.visit(visitor);
SQLPrinterVisitor itself will produce a statement starting from SELECT.
Without knowing much about all the possible injection attack variations,
I'd say that a DB won't do update as part of SELECT ?
Now, assuming if it is possible somehow to trick DB say by having a
SELECT statement encode somehow bad SQL statements within some of SELECT
values, example, "SELECT name from table where name=*BAD_SQL*", then the
best thing one can do is to make sure that Book setters do the
validation, example, a setName(String value) method ensures 'name' has a
valid value, etc
Cheers, Sergey
Thanks
--
View this message in context:
http://cxf.547215.n5.nabble.com/Is-FIQL-SQL-Injection-safe-tp5729800.html
Sent from the cxf-user mailing list archive at Nabble.com.
