Furthermore,Geoserver jdbc by default uses prepared statements where possible for both performance and security. Prepared statements are a strong protection against SQL injection because the injected value is not evaluated as SQL code.
On 24/05/12 02:38, David Winslow wrote: > I guess it might be possible in theory to perform an injection attack by > some clever escaping - using "' -- DELETE TABLE important_data;" as a > property name. But GeoServer validates that filters reference only > properties that are actually present, so this would not be feasible > through WFS. -- Ben Caradoc-Davies <[email protected]> Software Engineer CSIRO Earth Science and Resource Engineering Australian Resources Research Centre ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
