I'm with Hans on this one. Any examples of a JDBC driver where PreparedStatement doesn't behave like that?
-----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Hans Bergsten Sent: Thursday, November 15, 2001 11:37 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Chris Tucker wrote: > > Tim, > > Simply making sure you escape any single-quotes in your input string to > single-quote single-quote will fix the problem. But I feel that JDBC should > have some "official" way of doing this for you (seeing as how Java Strings > are fixed length, buggering about with replacing one character with two > others is inefficient and a little awkward). Just to demonstrate the point, > Bob's loophole would then result in a query of: > "select * from username='x'' or 1=1 --' and password='x'" > which will simple check to see if the username is "x' or 1=1 --" and the > password is "x" -- clearly, unless you have a user with that name and > password, this query will not succeed. The "official" way of taking care of escaping is, AFAIK, using a PreparedStatement and setString(). I know this was mentioned as a solution earlier (by Chris?), and that someone said that it didn't work for all JDBC drivers. But I seriously doubt that. When you use setString(), the JDBC driver interprets the argument as *one* string that takes the place of the single ? in the SQL statement: username = ? --> username = new String("x' or 1=1 ---") Hence, it should *not* build up a complete statement, escaping quotes and then parse for strings in the expanded SQL statement. Instead, it should parse the SQL with the placeholders (?) and then just replace the placeholders with the values provided by the setXXX() methods. This was there's no chance that it can be fooled by a string value that actually contains pieces of an SQL statement. If someone has an example of a JDBC driver where this is a problem even when a PreparedStatement is used, I would really like to know. Hans -- Hans Bergsten [EMAIL PROTECTED] Gefion Software http://www.gefionsoftware.com Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
