You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by moj0002 <mo...@hotmail.com> on 2014/05/01 03:18:48 UTC
JDBC allowNamedParameters=false
I am writing a DELETE statement using the JDBC component and want to make
sure there is no SQL injection possibilities. My statement does not have
any input parameters, is basically a table with a few columns including one
called MOD_TIME.
The SQL statement is in a bean
DELETE FROM MY_TABLE WHERE MOD_TIME <= current timestamp - 2 days";
Since I have no bind variables or other parameters I assume it is not
possible to inject SQL but not completely sure.
Would I want to set the allowNamedParameters to false to be double sure and
what is the benefit?
I read about one security issue related to stylesheets where someone can get
submit messages to a route, not sure how that would work, how do people gain
access to a route and can they submit arbitrary SQL, I don't think so.
Route
<route id="db-purger">
<from uri="quartz2://myGroup/purgeTable?cron=0 20 */1 * * ?" />
<log message="Running purge at ${date:now:yyyy-MM-dd HH:mm:ss
z}"/>
<bean ref="purgeBean" method="deleteProcessData"/>
<to uri="jdbc://myDataSource"/>
<log message="Rows deleted from PROCESS_TABLE:
$simple{header.CamelJdbcUpdateCount} "/>
</route>
--
View this message in context: http://camel.465427.n5.nabble.com/JDBC-allowNamedParameters-false-tp5750737.html
Sent from the Camel - Users mailing list archive at Nabble.com.