You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Mike Duffy <md...@yahoo.com> on 2007/11/15 18:42:20 UTC
Struts Validator to Prevent SQL Injection Attacks
Does anyone have a great solution for a validator that will prevent users from entering malicious SQL into form entry text fields?
Thx.
Mike
____________________________________________________________________________________
Get easy, one-click access to your favorites.
Make Yahoo! your homepage.
http://www.yahoo.com/r/hs
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Roberto Nunnari <ro...@supsi.ch>.
Hi Mike.
my comments below.
Mike Duffy wrote:
> Thx Gary.
>
> That is good information.
>
> We are actually using JBoss with EJB 3.0, which uses Hibernate under
> the covers, so I am assuming we are covered.
Not that sure.. if your DAO uses SQL strings in the queries (Hibernate
lets you do that), then you're not covered.
But if you use the placeholder and HQL or the Criteria APIs, then
you're covered.
>
> Mike
>
>
> --- On Thu, 11/15/07, Gary Affonso <gl...@greywether.com> wrote:
>
>> From: Gary Affonso <gl...@greywether.com>
>> Subject: Re: Struts Validator to Prevent SQL Injection Attacks
>> To: "Struts Users Mailing List" <us...@struts.apache.org>
>> Cc: mduffy_lists@yahoo.com
>> Date: Thursday, November 15, 2007, 11:13 AM
>> Dave Newton wrote:
>>> --- Mike Duffy <md...@yahoo.com> wrote:
>>>> Does anyone have a great solution for a validator
>>>> that will prevent users from entering malicious
>> SQL
>>>> into form entry text fields?
>>> I'm not sure that belongs in a validator; unless
>> you
>>> never need to allow the use of a single quote. It is,
>>> hoever unlikely, conceivable that Little Bobby
>>> Tables[1] actually exists in the real world.
>>>
>>> Personally I'd put escaping either in a separate
>>> interceptor or on the business logic/pre-business
>>> logic data scrubbing side of things.
>> Agreed.
>>
>> If you're using Hibernate (or even raw JDBC with
>> parameterized
>> statements), you get scrubbing automagically...
>>
>> http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc
>>
>> Note that it *is* possible to go wrong with Hibernate (and
>> even easier
>> to go wrong with JDBC), so read up on how you can
>> accidentally break
>> automagic scrubbing support.
>>
>> Like Dave said, this is probably not something you want to
>> do in an
>> Interceptor (or even in your Service layer). You almost
>> certainly want
>> want this in your DAO layer and you probably want to rely
>> on your
>> underlying DAO tool to "do the right thing".
>>
>> Just be sure to write unit tests (or in this case,
>> integration tests)
>> for the DAO methods to test the scrubbing.
>>
>> If you're using Spring and its DAO support (you are,
>> aren't you? :-)
>> writing both the DAO (either Hibernate or JDBC) is *really*
>> easy and it
>> has integration testing support that makes unit-testing the
>> DAO's
>> *really* awesome.
>>
>> Did I mention that I like Spring? :-)
>>
>> - Gary
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail:
>> user-help@struts.apache.org
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Mike Duffy <md...@yahoo.com>.
Thx Gary.
That is good information.
We are actually using JBoss with EJB 3.0, which uses Hibernate under
the covers, so I am assuming we are covered.
Mike
--- On Thu, 11/15/07, Gary Affonso <gl...@greywether.com> wrote:
> From: Gary Affonso <gl...@greywether.com>
> Subject: Re: Struts Validator to Prevent SQL Injection Attacks
> To: "Struts Users Mailing List" <us...@struts.apache.org>
> Cc: mduffy_lists@yahoo.com
> Date: Thursday, November 15, 2007, 11:13 AM
> Dave Newton wrote:
> > --- Mike Duffy <md...@yahoo.com> wrote:
> >> Does anyone have a great solution for a validator
> >> that will prevent users from entering malicious
> SQL
> >> into form entry text fields?
> >
> > I'm not sure that belongs in a validator; unless
> you
> > never need to allow the use of a single quote. It is,
> > hoever unlikely, conceivable that Little Bobby
> > Tables[1] actually exists in the real world.
> >
> > Personally I'd put escaping either in a separate
> > interceptor or on the business logic/pre-business
> > logic data scrubbing side of things.
>
> Agreed.
>
> If you're using Hibernate (or even raw JDBC with
> parameterized
> statements), you get scrubbing automagically...
>
> http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc
>
> Note that it *is* possible to go wrong with Hibernate (and
> even easier
> to go wrong with JDBC), so read up on how you can
> accidentally break
> automagic scrubbing support.
>
> Like Dave said, this is probably not something you want to
> do in an
> Interceptor (or even in your Service layer). You almost
> certainly want
> want this in your DAO layer and you probably want to rely
> on your
> underlying DAO tool to "do the right thing".
>
> Just be sure to write unit tests (or in this case,
> integration tests)
> for the DAO methods to test the scrubbing.
>
> If you're using Spring and its DAO support (you are,
> aren't you? :-)
> writing both the DAO (either Hibernate or JDBC) is *really*
> easy and it
> has integration testing support that makes unit-testing the
> DAO's
> *really* awesome.
>
> Did I mention that I like Spring? :-)
>
> - Gary
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Gary Affonso <gl...@greywether.com>.
Dave Newton wrote:
> --- Mike Duffy <md...@yahoo.com> wrote:
>> Does anyone have a great solution for a validator
>> that will prevent users from entering malicious SQL
>> into form entry text fields?
>
> I'm not sure that belongs in a validator; unless you
> never need to allow the use of a single quote. It is,
> hoever unlikely, conceivable that Little Bobby
> Tables[1] actually exists in the real world.
>
> Personally I'd put escaping either in a separate
> interceptor or on the business logic/pre-business
> logic data scrubbing side of things.
Agreed.
If you're using Hibernate (or even raw JDBC with parameterized
statements), you get scrubbing automagically...
http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc
Note that it *is* possible to go wrong with Hibernate (and even easier
to go wrong with JDBC), so read up on how you can accidentally break
automagic scrubbing support.
Like Dave said, this is probably not something you want to do in an
Interceptor (or even in your Service layer). You almost certainly want
want this in your DAO layer and you probably want to rely on your
underlying DAO tool to "do the right thing".
Just be sure to write unit tests (or in this case, integration tests)
for the DAO methods to test the scrubbing.
If you're using Spring and its DAO support (you are, aren't you? :-)
writing both the DAO (either Hibernate or JDBC) is *really* easy and it
has integration testing support that makes unit-testing the DAO's
*really* awesome.
Did I mention that I like Spring? :-)
- Gary
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Antonio Petrelli <an...@gmail.com>.
2007/11/15, Mike Duffy <md...@yahoo.com>:
> Prepared statements if created correctly will work, but if your statements are created dynamically with text strings as the values instead of "?" placeholders problems can occur.
I wonder why do you create query strings this way: you can always
create a query dinamically, with a variable number of parameters.
In the PDF you sent, there is this sentence:
<snip>
SQL Statements using bind variables are generally immune to SQL
Injection attacks as the Oracle
database will use the value of the bind variable exclusively and not
interpret the contents of the
variable in any way. PL/SQL and JDBC allow for bind variables. Bind
variables should be
extensively used for both security and performance reasons.
</snip>
I think you have no excuse :-)
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Antonio Petrelli <an...@gmail.com>.
Whoops sorry Mike, I misread your post, and I did not notice that you
was confirming what I wrote before.
Sorry
Antonio
2007/11/15, Mike Duffy <md...@yahoo.com>:
> Antonio,
>
> Prepared statements if created correctly will work, but if your statements are created dynamically with text strings as the values instead of "?" placeholders problems can occur.
>
> See the link from Gary Affonso's post:
> http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc
>
> And page 16 of the following link:
> http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf
>
> Thx.
>
> Mike
>
>
> --- On Thu, 11/15/07, Antonio Petrelli <an...@gmail.com> wrote:
>
> > From: Antonio Petrelli <an...@gmail.com>
> > Subject: Re: Struts Validator to Prevent SQL Injection Attacks
> > To: "Struts Users Mailing List" <us...@struts.apache.org>, mduffy_lists@yahoo.com
> > Date: Thursday, November 15, 2007, 11:21 AM
> > 2007/11/15, Mike Duffy <md...@yahoo.com>:
> > > No matter where this is done, the basic problem is we
> > have single quotes, double quotes, ampersands, semicolons,
> > and parenthesis in our data.
> >
> > This may be off topic, but does not is suffice to use
> > prepared
> > statement and parameters to avoid such attacks?
> >
> > Antonio
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail:
> > user-help@struts.apache.org
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Mike Duffy <md...@yahoo.com>.
Antonio,
Prepared statements if created correctly will work, but if your statements are created dynamically with text strings as the values instead of "?" placeholders problems can occur.
See the link from Gary Affonso's post:
http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc
And page 16 of the following link:
http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf
Thx.
Mike
--- On Thu, 11/15/07, Antonio Petrelli <an...@gmail.com> wrote:
> From: Antonio Petrelli <an...@gmail.com>
> Subject: Re: Struts Validator to Prevent SQL Injection Attacks
> To: "Struts Users Mailing List" <us...@struts.apache.org>, mduffy_lists@yahoo.com
> Date: Thursday, November 15, 2007, 11:21 AM
> 2007/11/15, Mike Duffy <md...@yahoo.com>:
> > No matter where this is done, the basic problem is we
> have single quotes, double quotes, ampersands, semicolons,
> and parenthesis in our data.
>
> This may be off topic, but does not is suffice to use
> prepared
> statement and parameters to avoid such attacks?
>
> Antonio
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Antonio Petrelli <an...@gmail.com>.
2007/11/15, Mike Duffy <md...@yahoo.com>:
> No matter where this is done, the basic problem is we have single quotes, double quotes, ampersands, semicolons, and parenthesis in our data.
This may be off topic, but does not is suffice to use prepared
statement and parameters to avoid such attacks?
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Mike Duffy <md...@yahoo.com>.
No matter where this is done, the basic problem is we have single quotes, double quotes, ampersands, semicolons, and parenthesis in our data.
After Googleing on this topic for an hour or so I do not see an elegant solution, other than possibly filtering on SQL key words (DROP, ALTER, etc.).
Has anyone created an elegant solution for this problem within the Struts framework?
Mike
--- On Thu, 11/15/07, Dave Newton <ne...@yahoo.com> wrote:
> From: Dave Newton <ne...@yahoo.com>
> Subject: Re: Struts Validator to Prevent SQL Injection Attacks
> To: "Struts Users Mailing List" <us...@struts.apache.org>, mduffy_lists@yahoo.com
> Date: Thursday, November 15, 2007, 9:56 AM
> --- Mike Duffy <md...@yahoo.com> wrote:
> > Does anyone have a great solution for a validator
> > that will prevent users from entering malicious SQL
> > into form entry text fields?
>
> I'm not sure that belongs in a validator; unless you
> never need to allow the use of a single quote. It is,
> hoever unlikely, conceivable that Little Bobby
> Tables[1] actually exists in the real world.
>
> Personally I'd put escaping either in a separate
> interceptor or on the business logic/pre-business
> logic data scrubbing side of things.
>
> d.
>
> [1] http://xkcd.com/327/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
____________________________________________________________________________________
Get easy, one-click access to your favorites.
Make Yahoo! your homepage.
http://www.yahoo.com/r/hs
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts Validator to Prevent SQL Injection Attacks
Posted by Dave Newton <ne...@yahoo.com>.
--- Mike Duffy <md...@yahoo.com> wrote:
> Does anyone have a great solution for a validator
> that will prevent users from entering malicious SQL
> into form entry text fields?
I'm not sure that belongs in a validator; unless you
never need to allow the use of a single quote. It is,
hoever unlikely, conceivable that Little Bobby
Tables[1] actually exists in the real world.
Personally I'd put escaping either in a separate
interceptor or on the business logic/pre-business
logic data scrubbing side of things.
d.
[1] http://xkcd.com/327/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org