Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

The use of prepared statements and stored procedures makes SQL injection impossible. A prepared statement is compiled before the user input is added to the SQL statement, effectively making it impossible to execute the client-supplied data because it is never compiled. There was a thread about this a couple of months back on this list, here's the first post: http://archives.neohapsis.com/archives/sf/www-mobile/2002-q3/0105.html

Have a fun and securely programmed new year, everyone.

Kevin Spett
SPI Labs
http://www.spidynamics.com

• Original Message ----- From: "Christopher Todd" <chris@christophertodd.com> To: <webappsec@securityfocus.com> Sent: Monday, December 30, 2002 3:29 PM Subject: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

> I am working on the Java language section of the OWASP Guide to Securing
Web
> Applications, and I have a question for the list. Have any of you elite
SQL
> Injectors ever been able to hack an application that was using JDBC
world's
> most talented SQL Injector.
Received on Mon Dec 30 18:13:53 2002