On 10/5/06, Ottinger, Joseph <[EMAIL PROTECTED]> wrote:
I was playing around with JCR's query facility and realised something a little
scary. Perhaps I'm just ignorant, but... hey, that's why I email the list,
right?
When I build SQL queries, I do something like this: "select * from nt:unstructured where
foo='"+bar+"'";
Oh, wait. If I was actually using JDBC, I'd *never* do this, because some fool out there
will try to set bar to something that will return more than I want it to return. To wit:
bar might equal "a' or 1=1" and lo, every node will be returned. Application
error at best, exposure of sensitive data at worst.
Then I thought, well, hey, I have XPath, right? But in XPath, I can construct a
query the same way. Hello, security hole.
Am I missing something?
well, unlike databases JCR *does* provide fine-grained access control, i.e. the
user will only get those results which he has read-access on.
cheers
stefan
