Hi Daniel,
afaik it is neither the job of a ORM-tool nor is it possible at all to secure
such a layer against
SQL-injection. Torque does explicitly allow the usage of custom SQL. Hence some
kind of SQL-injection
is a real feature (in terms of extensibility and flexibility) in an ORM-tool
and not really a vulnerability.
I think the caller respectively the used DAO-Layer has to do the job to prevent
unwanted SQL-injection.
So to answer your question: It is known that is it possible to do SQL-injection
with Torque. The used
Criteria-Class does not contain any logic to check for additional (injected)
SQL-statements.
And to be honest: I'm happy with that, because if it is really neccessary, we can do a
lot of "sql-tricks" with Torque
without switching to raw SQL completely :-)
cheers
Michael
Vitzethum, Daniel schrieb:
Hello all,
is anything known about the vulnerability of Torque (versions 3.1 / 3.2)
regarding SQL injection? One of our customers wants to know if anything
has to be done to make Torque resistant against attacks of this kind...
Many thanks in advance,
Daniel
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.441 / Virus Database: 268.18.3/698 - Release Date: 23.02.2007 04:39
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
