On 16/01/2004 14:04 Tom Hargrave wrote:
> Details:
>
> If a piece of SQL is executed in a JDBC prepared statement that
> includes a
> semicolon and a valid piece of SQL, then the embedded valid piece of
> SQL
> still executes even though the overall statement is invalid.
>
> Example:
>
> select c1 from t1 order by;drop t2; c1
>
> This causes security issues if the SQL is constructed from a web page
> that
> inputs strings that are used to construct a statement, since a hacker
> can
> embed SQL within a single field that executes regardless of the overall
>
> statement being invalid.
Use java.sql.PreparedStatement instead of java.sql.Statement. The driver
will safely escape the user-entered string so that SQL Injection cannot
take place. Look through the archives for list (IRC last summer-ish). ISTR
we had some discussion on SQL Injection and some patches to the driver
were submitted.
>
> See article:
>
> http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1
There are undoubtably better resources on the net regarding this subject
and how to avoid it as well as best-practice web application design.
--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants |
http://www.thomas-micro-systems-ltd.co.uk |
+------------------------------+---------------------------------------------+