B
bighead4694
Hello,
Can any body tell me how to avoid SQL insertion attacks in Java?
Thanks a lot
bighead
Can any body tell me how to avoid SQL insertion attacks in Java?
Thanks a lot
bighead
Hello,
Can any body tell me how to avoid SQL insertion attacks in Java?
Thanks a lot
bighead
Firewall and login/password.Hello,
Can any body tell me how to avoid SQL insertion attacks in Java?
Thanks a lot
bighead
Hello,
Can any body tell me how to avoid SQL insertion attacks in Java?
Thanks a lot
bighead
Malte said:Apart from doublechecking all input variables, disallow dynamic SQL.
Most banks, AFIK, allow only static SQL, although this is also for
performance reasons. Use CallableStatement and stored procedures, ie get
as much SQL out of the Java layer as possible.
Dotty said:Firewall and login/password.
BTW, I have an application that inserts 4096 rows
using one INSERT statement. (MySQL)
My backend DBMS is Oracle.
My backend DBMS is Oracle.
Great! AFAIK, they have native support for prepared statements. Simply pass
all
arguments received externally as ? parameters to your prepared statement.
This will
protect you against SQL insertion/injection attacks.
Please respond if you need more help/info...
steve said:no it will not!!.
Kindly explain, or apologize for calling people idiots.
consider the code:
String sql =
"Select object_code,client_file_name,filedatestamp from
client_code_java where deleted=0 and rep_index=?";
PreparedStatement st = dbconn.prepareStatement(sql);
st.setString(1, indexkey); // Bind the replication index
rset = st.executeQuery(); // Execute Query
this satisfies your reply of "using ?" and prepared statements
Is it secure?
1. String sql ="Select * from client_code_java where ?=null";
2. String sql ="Select * from client_code_java where ?<>null";
( null can be anything and 'nothing', it is null)
3. indexkey='"";
That is another topic and is - in my opinion - not related to SQL injection. Butthat's not even considering how to easily recover passwords from an oracle
thin JDBC connection.
Which would make any prepared statement and '?' F**&K useless.
Nope , i don't think so, get over it.
Then take a look at the replies.
I find it offensive when i see piss poor replies to people who require
genuine help.
1. String sql ="Select * from client_code_java where ?=null";
DELETE FROM table WHERE col = '0' OR col said:2. String sql ="Select * from client_code_java where ?<>null";
3. indexkey='"";
so far that is 3 ways to attack this "perfect" system.
if people require help, then help, but if you have not thought about the
question then STFU.
steve said:However i see only 1 reasonable reply, and that is to use stored procedures,
and call outs.
1. String sql ="Select * from client_code_java where ?=null";
2. String sql ="Select * from client_code_java where ?<>null";
now consider how you would hack:
String The_qry ="{ call
external_user.fgfdgfddfg.asa(?,?,?,?,?,?,?,?,?,?,?,?,?)}";
steve said:Nope , i don't think so, get over it.
Then take a look at the replies.
I find it offensive when i see piss poor replies to people who require
genuine help.
We have a guy that has requested help, which is fine.
However i see only 1 reasonable reply, and that is to use stored procedures,
and call outs. (remembering that the
'helpee' did not give any information on the application/security level, but
DID state he was using Oracle)
and then there is your reply. ( use prepared statements && ?)
consider the code:
String sql =
"Select object_code,client_file_name,filedatestamp from
client_code_java where deleted=0 and rep_index=?";
PreparedStatement st = dbconn.prepareStatement(sql);
st.setString(1, indexkey); // Bind the replication index
rset = st.executeQuery(); // Execute Query
this satisfies your reply of "using ?" and prepared statements
Is it secure?
hmm
1. String sql ="Select * from client_code_java where ?=null";
2. String sql ="Select * from client_code_java where ?<>null";
( null can be anything and 'nothing', it is null)
3. indexkey='"";
so far that is 3 ways to attack this "perfect" system.
that's not even considering how to easily recover passwords from an oracle
thin JDBC connection.
Which would make any prepared statement and '?' F**&K useless.
now consider how you would hack:
String The_qry ="{ call
external_user.fgfdgfddfg.asa(?,?,?,?,?,?,?,?,?,?,?,?,?)}";
where "external_user" has connect privs. only.
and then there is your reply. ( use prepared statements && ?)
consider the code:
String sql =
"Select object_code,client_file_name,filedatestamp from
client_code_java where deleted=0 and rep_index=?";
PreparedStatement st = dbconn.prepareStatement(sql);
st.setString(1, indexkey); // Bind the replication index
rset = st.executeQuery(); // Execute Query
this satisfies your reply of "using ?" and prepared statements
Is it secure?
hmm
1. String sql ="Select * from client_code_java where ?=null";
2. String sql ="Select * from client_code_java where ?<>null";
( null can be anything and 'nothing', it is null)
3. indexkey='"";
so far that is 3 ways to attack this "perfect" system.
that's not even considering how to easily recover passwords from an oracle
thin JDBC connection.
Which would make any prepared statement and '?' F**&K useless.
now consider how you would hack:
String The_qry ="{ call
external_user.fgfdgfddfg.asa(?,?,?,?,?,?,?,?,?,?,?,?,?)}";
where "external_user" has connect privs. only.
replies on a postage stamp please.
if people require help, then help, but if you have not thought about the
question then STFU.
Steve.
Chris said:Technically, the two prepared statements above are actually valid.
(However, in ANSI SQL they will always return zero rows because
comparisons with NULL yield NULL rather than true or false.) However,
you can't plug in a column name there; only a literal value. This is,
of course, incredibly useless, so your queries are quite valid but still
unlikely to be correct.
Lee Fesperman said:Those constructs are not standard SQL (see my reply). Technically, they
would yield UNKNOWN not NULL, if supported. And as you say, they are
useless. Can you indicate where they are defined and in which ANSI
standard?
I appreciate the effort, but I don't need any help with that guy,
as you see ;^)
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.