I'm not aware what the OWASP recommandations are. When 2 layers serve different goals and one of them is vulnerable, it doesn't make sense to protect the other one - that other layer wouldn't even know what to protect against since it could interoperate with any kind of back-end.
On Thu, Jan 7, 2010 at 12:46, cordenier christophe <christophe.corden...@gmail.com> wrote: > Yes i understand and i agree with your point and i have also read the > security consideration written by Howard on its blog about SQL escaping. But > we are trying to follow OWASP recommandations and each layer should be > protected, not only for SQL escaping. While others are already handled by > Tapestry, this one is important also for older application that do not use > JPA implementations > > 2010/1/7 Thiago H. de Paula Figueiredo <thiag...@gmail.com> > >> Em Wed, 06 Jan 2010 16:51:52 -0200, cordenier christophe < >> christophe.corden...@gmail.com> escreveu: >> >> >> Tapestry has a lot of security mechanisms regarding type control, method >>> events control... but sql escaping is missing, this is my first goal but i >>> am writing a mechanism with an extensible and configurable list of codec. >>> >> >> IMHO, SQL escaping is something to be done at the persistence layer level, >> not at the presentation layer (Tapestry). >> By the way, using some object-relational mapping like Hibernate, JPA or >> iBatis solves the problem for you, as they do the escaping automatically. >> >> -- >> Thiago H. de Paula Figueiredo >> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, >> and instructor >> Owner, software architect and developer, Ars Machina Tecnologia da >> Informação Ltda. >> http://www.arsmachina.com.br >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> > -- Andreas Andreou - andy...@apache.org - http://blog.andyhot.gr Tapestry / Tacos developer Open Source / JEE Consulting --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
