TS Rick Gruber-Riemer wrote:
Hi
Sorry for a maybe stupid question: how can a persistence framework be more
secure? Do they include code to detect SQL injects - I have some doubts that
automatic/configured O/R-mapping by itselv protects entirely from SQL-injection
attacts.
Is there more to it?
Well, it all boils down to using PreparedStatements really - use
Hibernate or OJB or whatever persistence framework you choose and you
are save, cause they are using PreparedStatements internally, use
PreparedStatements yourself and you are save, too...
regards,
Martin
On Thu, 24 Mar 2005 22:10
Jonathan Eric Miller wrote:
If you are using direct SQL, I would recommend using PreparedStatements
instead of Statements. As far as I know, PreparedStatements pretty much
rule out SQL injection attacks. If anyone knows otherwise, please let me
know...
Others have mentioned using Object/Relatio
Martin Marinschek wrote:
but as to the orginal question: no there is nothing like that
implemented right into MyFaces
Is this really the area which MyFaces has to cover?
This is a controller, model problem not a view problem, and JSF
basically covers mostly the view level with basic infrastructure
Yes, PreparedStatement is enough since the JDBC driver will perform the
necessary escaping. However, some people just do regular Statements for
performance reasons. Although I'd claim the escaping feature of
PreparedStatements overrules the minimal performance hit (your mileage
may vary). Yo
OTECTED]>
To: "MyFaces Discussion"
Sent: Thursday, March 24, 2005 5:33 AM
Subject: SQL Injection attack
Hi all,
Is there anything in JSF (or in MyFaces) which can detect / filter out
text entered into a text box which could inject and run SQL commands on
the database?
Any thoughts on th
Original Message
Subject: Re: SQL Injection attack
Date: Thu, 24 Mar 2005 16:31:20 +0100
From: Stefan Langer <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Michal Malecki <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED
Is using PreparedStatement not enough? I'm not sure but if setting
parameters using set methods, they can't be used to inject any specific sql
code. So ibatis sqlmap would be enough. Am I wrong?
Michal Malecki
> >Hi
> >
> >Sorry for a maybe stupid question: how can a persistence framework be
more
Hi
Sorry for a maybe stupid question: how can a persistence framework be more
secure? Do they include code to detect SQL injects - I have some doubts that
automatic/configured O/R-mapping by itselv protects entirely from SQL-injection
attacts.
Is there more to it?
Most of the time the tools e
TS Rick Gruber-Riemer wrote:
Hi
Sorry for a maybe stupid question: how can a persistence framework be more secure?
> Do they include code to detect SQL injects -
It is more secure at various stages, persistent frameworks normally use
different non SQL query languages, some even can rely entirely o
-
From: Dave Sag [mailto:[EMAIL PROTECTED]
Sent: Thu 3/24/2005 12:47 PM
To: MyFaces Discussion
Cc:
Subject:Re: SQL Injection attack
well the simplest answer is don't directly access your database with
data entered into your fields, but use a persistence framework lik
but as to the orginal question: no there is nothing like that
implemented right into MyFaces
regards,
Martin
On Thu, 24 Mar 2005 12:47:33 +0100, Dave Sag <[EMAIL PROTECTED]> wrote:
> well the simplest answer is don't directly access your database with
> data entered into your fields, but use a
well the simplest answer is don't directly access your database with
data entered into your fields, but use a persistence framework like JDO
from your underlying controller layer, after you have performed any
form field validations.
dave
On 24/03/2005, at 12:33 PM, Conway. Fintan (IT Solutions)
Hi all,
Is there anything in JSF (or in MyFaces) which can detect / filter out
text entered into a text box which could inject and run SQL commands on
the database?
Any thoughts on this matter would be appreciated,
Thanks,
Fintan
* ** *** ** * ** *** ** * ** *** ** *
This email and any files
14 matches
Mail list logo