You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@camel.apache.org by moj0002 <mo...@hotmail.com> on 2014/05/01 03:18:48 UTC

JDBC allowNamedParameters=false

I am writing a DELETE statement using the JDBC component and want to make
sure there is no SQL injection possibilities.  My statement does not have
any input parameters, is basically a table with a few columns including one
called MOD_TIME.

The SQL statement is in a bean 
DELETE FROM MY_TABLE WHERE MOD_TIME <= current timestamp - 2 days";

Since I have no bind variables or other parameters I assume it is not
possible to inject SQL but not completely sure.   

Would I want to set the allowNamedParameters to false to be double sure and
what is the benefit?

I read about one security issue related to stylesheets where someone can get
submit messages to a route, not sure how that would work, how do people gain
access to a route and can they submit arbitrary SQL, I don't think so.

Route
 <route id="db-purger">
    	<from uri="quartz2://myGroup/purgeTable?cron=0 20 */1 * * ?" />
            <log message="Running purge at  ${date:now:yyyy-MM-dd HH:mm:ss
z}"/>
            <bean ref="purgeBean" method="deleteProcessData"/>
            <to uri="jdbc://myDataSource"/>
            <log message="Rows deleted from PROCESS_TABLE:
$simple{header.CamelJdbcUpdateCount} "/>
</route>



--
View this message in context: http://camel.465427.n5.nabble.com/JDBC-allowNamedParameters-false-tp5750737.html
Sent from the Camel - Users mailing list archive at Nabble.com.