JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

I am working on the Java language section of the OWASP Guide to Securing Web Applications, and I have a question for the list. Have any of you elite SQL Injectors ever been able to hack an application that was using JDBC PreparedStatements? Are any of you aware of a theoretical reason this should be impossible? I have tried, and been unsuccessful, to perform SQL injection on an example app I coded up, but then again, I am not the world's most talented SQL Injector.

On another note, have any of you ever successfully used SQL Injection against a web app that was using Castor JDO, or other similar Object-Relational mapping tools? Again, I have tried to attack an example app I coded up and failed. Same question - is it theoretically impossible to execute SQL injection against apps coded using these techniques and tools?

I ask these questions because I think these two techniques can be used effectively to thwart (or at least make more difficult) SQL injection attacks against Java-based web apps, but I want to validate that belief to the best extent I can prior to putting such statements into the Guide. Thanks in advance for any help you can provide, as it will improve the quality and usefullness of the Guide.

Chris Received on Mon Dec 30 16:56:05 2002