Hosting Provided By

Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

From: Kevin Spett <kspett(at)spidynamics.com>
Date: Fri Jan 03 2003 - 11:01:20 EST

As far as I can tell, the JDBC spec requires that a PreparedStatement be precompiled. This has the effect of seperating the client-supplied values from the SQL statement, which prevents SQL injection. Ever database server/JDBC API I have seen does this. Does anyone know of any exceptions?

Now of course, you can still shoot yourself in the foot programming with PreparedStatements if you build them by concatenating client-supplied data into them as opposed to using the '?' substitutions. But not only is that insecure, it also completely defeats the purpose of using PreparedStatements.

Kevin Spett
SPI Labs
http://www.spidynamics.com/

Original Message ----- From: "Jeff Williams @ Aspect" <jeff.williams@aspectsecurity.com> To: "Kevin Spett" <kspett@spidynamics.com>; "Dave Aitel" <dave@immunitysec.com>; <webappsec@securityfocus.com> Sent: Monday, December 30, 2002 10:37 PM Subject: Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

> I think there's a very important point here about specifications and
Received on Fri Jan 3 11:12:26 2003

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT