ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabio Insaccanebbia <finsaccaneb...@gmail.com>
Subject Re: [HELP] Whether or not iBatis support SQL Injection?
Date Wed, 06 Jul 2005 08:37:16 GMT
> If so, in another case, if another column named Name, data type is
> Varchar(or String), we have sql like below:
> select * from user where name = ?
> and ? has value is 'bowl;drop table foo;--' ... what will happen, Larry ?

The query would be considered as 

select * from user where name = 'bowl;drop table foo;--'

(I guess it would just return 0 rows)

I prepared a long, detailed and complex explanation but then found
this short description..
I hope it's enough to clear the doubts.. :-)

"For instance, in Java, a secure way to build SQL statements is to
construct all queries with PreparedStatement instead of Statement
(....) When PreparedStatement is used, most JDBC drivers will prepare
a statement with the server, and then supply the parameters
separately. In either case, after the initial parsing, there is a
clear distinction between the SQL statement and the variable. The
variables are encapsulated and special characters within them are
automatically escaped in a manner suited to the target database.
Consequently, it is impossible for a hacker to pass malicious input
and have it treated as if it were the actual SQL statement— which is
necessary if the hacker is going to succeed with SQL injection

( quoted from  http://www.devx.com/security/Article/20678/0/page/2 )
View raw message