Hi I tested the code in my initial post and indeed there is no problem for SQL injection attacks related to DROP, DELETE, UPDATE etc.
But in the type of SQL injection attack shown below select * from table where something= 'value derived from FIQL' If the user gives blala' or 'x' = 'x in the request URL then the query that we get from the visitor.getQuery(); is select * from table where something='blala' or 'x' = 'x' which passes successfully. So as far as I can understand there is a vulnerability there. Also validation in the setters cannot always work because of the nature of the data that are stored in the database. I was wondering how is the sql String produced by the FIQL library? Is it by concatinating the strings that the user passes on the URL? Thanks -- View this message in context: http://cxf.547215.n5.nabble.com/Is-FIQL-SQL-Injection-safe-tp5729800p5729865.html Sent from the cxf-user mailing list archive at Nabble.com.
