Hi >Interesting. Well, that sounds like a general issue, right ? Whenever a >user submits a query of some sort and the application code builds and >SQL query (lets even not talk about a FIQL SQL handler) then there's >always a danger there that a query value may have something bad encoded >there... Yes you are right on this. However, in order to avoid that type of vulnerability, there could be a method in the visitor, lets say getPreparedStatement(), that would return a prepared Statement instead of an SQL String. Is this possible? and also is it worth to implement something like that?
>How do you mean ? You have "name=some bad expression", you have the >domain knowledge of what a 'name' is. There must be a way to validate >what 'name' may be, otherwise there would always be an injection issue >hanging around Yes but if you don't have the domain of a name and you have a field called password which allows alphanumeric characters including special characters like =/\etc then you cannot validate against it. Thanks -- View this message in context: http://cxf.547215.n5.nabble.com/Is-FIQL-SQL-Injection-safe-tp5729800p5729871.html Sent from the cxf-user mailing list archive at Nabble.com.
