Hi Mike.
my comments below.
Mike Duffy wrote:
Thx Gary.
That is good information.
We are actually using JBoss with EJB 3.0, which uses Hibernate under
the covers, so I am assuming we are covered.
Not that sure.. if your DAO uses SQL strings in the queries (Hibernate
lets you do that), then you're not covered.
But if you use the placeholder and HQL or the Criteria APIs, then
you're covered.
Mike
--- On Thu, 11/15/07, Gary Affonso <[EMAIL PROTECTED]> wrote:
From: Gary Affonso <[EMAIL PROTECTED]>
Subject: Re: Struts Validator to Prevent SQL Injection Attacks
To: "Struts Users Mailing List" <user@struts.apache.org>
Cc: [EMAIL PROTECTED]
Date: Thursday, November 15, 2007, 11:13 AM
Dave Newton wrote:
--- Mike Duffy <[EMAIL PROTECTED]> wrote:
Does anyone have a great solution for a validator
that will prevent users from entering malicious
SQL
into form entry text fields?
I'm not sure that belongs in a validator; unless
you
never need to allow the use of a single quote. It is,
hoever unlikely, conceivable that Little Bobby
Tables[1] actually exists in the real world.
Personally I'd put escaping either in a separate
interceptor or on the business logic/pre-business
logic data scrubbing side of things.
Agreed.
If you're using Hibernate (or even raw JDBC with
parameterized
statements), you get scrubbing automagically...
http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc
Note that it *is* possible to go wrong with Hibernate (and
even easier
to go wrong with JDBC), so read up on how you can
accidentally break
automagic scrubbing support.
Like Dave said, this is probably not something you want to
do in an
Interceptor (or even in your Service layer). You almost
certainly want
want this in your DAO layer and you probably want to rely
on your
underlying DAO tool to "do the right thing".
Just be sure to write unit tests (or in this case,
integration tests)
for the DAO methods to test the scrubbing.
If you're using Spring and its DAO support (you are,
aren't you? :-)
writing both the DAO (either Hibernate or JDBC) is *really*
easy and it
has integration testing support that makes unit-testing the
DAO's
*really* awesome.
Did I mention that I like Spring? :-)
- Gary
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
