Antonio, Prepared statements if created correctly will work, but if your statements are created dynamically with text strings as the values instead of "?" placeholders problems can occur.
See the link from Gary Affonso's post: http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc And page 16 of the following link: http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf Thx. Mike --- On Thu, 11/15/07, Antonio Petrelli <[EMAIL PROTECTED]> wrote: > From: Antonio Petrelli <[EMAIL PROTECTED]> > Subject: Re: Struts Validator to Prevent SQL Injection Attacks > To: "Struts Users Mailing List" <user@struts.apache.org>, [EMAIL PROTECTED] > Date: Thursday, November 15, 2007, 11:21 AM > 2007/11/15, Mike Duffy <[EMAIL PROTECTED]>: > > No matter where this is done, the basic problem is we > have single quotes, double quotes, ampersands, semicolons, > and parenthesis in our data. > > This may be off topic, but does not is suffice to use > prepared > statement and parameters to avoid such attacks? > > Antonio > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
