I don't want to start a flame. I'd like to understand a bit more datastore and jdo and how to use them better. :)
So, the problem exists. Can you confirm? I agree with you: it's a developer problem and not a jdo or datastore problem. But it's the same as the classic sql injection attack: it's always caused by developer error. Last: on GAE the problem is very less important and mitigated than classic sql. Infact in GAE you cannot inject the classic sql injection sequence like " dummy' or '1'='1 ". But this is due to the fact that datastore is not able to manage 1==1. So, as you wrote, it's important to use parameters and not concatenated strings. Exactly the same as classic sql. :) Have I correctly understood? Fabrizio On Sun, Jan 9, 2011 at 9:29 AM, datanucleus <andy_jeffer...@yahoo.com>wrote: > And that is the developer who has left it open to that. Any sane > developer would have put "parameters" in the query > > > String q = "select from Employee where managerID == :user && lastName > == :name"; > > and there any vulnerability disappears. :-P > Besides which the query written like that would also optimise far > better > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > google-appengine-j...@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine-java+unsubscr...@googlegroups.com<google-appengine-java%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-j...@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
