Whoops sorry Mike, I misread your post, and I did not notice that you was confirming what I wrote before.
Sorry Antonio 2007/11/15, Mike Duffy <[EMAIL PROTECTED]>: > Antonio, > > Prepared statements if created correctly will work, but if your statements > are created dynamically with text strings as the values instead of "?" > placeholders problems can occur. > > See the link from Gary Affonso's post: > http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc > > And page 16 of the following link: > http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf > > Thx. > > Mike > > > --- On Thu, 11/15/07, Antonio Petrelli <[EMAIL PROTECTED]> wrote: > > > From: Antonio Petrelli <[EMAIL PROTECTED]> > > Subject: Re: Struts Validator to Prevent SQL Injection Attacks > > To: "Struts Users Mailing List" <user@struts.apache.org>, [EMAIL PROTECTED] > > Date: Thursday, November 15, 2007, 11:21 AM > > 2007/11/15, Mike Duffy <[EMAIL PROTECTED]>: > > > No matter where this is done, the basic problem is we > > have single quotes, double quotes, ampersands, semicolons, > > and parenthesis in our data. > > > > This may be off topic, but does not is suffice to use > > prepared > > statement and parameters to avoid such attacks? > > > > Antonio > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > ____________________________________________________________________________________ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]