You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by he...@apache.org on 2006/09/17 14:28:23 UTC
svn commit: r447056 -
/jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java
Author: henning
Date: Sun Sep 17 05:28:22 2006
New Revision: 447056
URL: http://svn.apache.org/viewvc?view=rev&rev=447056
Log:
Using a prepared statement for the retrieval, thus reducing the risk
of a SQL injection attack on Velocity driven applications that use a
DataSourceResourceLoader. As the id to retrieve is passed in from user
space, there is a small risk that this name could be carefully crafted
to allow an SQL injection attack. Using a PreparedStatement should
prevent this. Suggested by FindBugs.
Modified:
jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java
Modified: jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java
URL: http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java?view=diff&rev=447056&r1=447055&r2=447056
==============================================================================
--- jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java (original)
+++ jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java Sun Sep 17 05:28:22 2006
@@ -19,9 +19,9 @@
import java.io.BufferedInputStream;
import java.io.InputStream;
import java.sql.Connection;
+import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
-import java.sql.Statement;
import java.sql.Timestamp;
import javax.naming.InitialContext;
@@ -409,13 +409,9 @@
private ResultSet readData(final Connection conn, final String columnNames, final String templateName)
throws SQLException
{
- Statement stmt = conn.createStatement();
-
- String sql = "SELECT " + columnNames
- + " FROM " + tableName
- + " WHERE " + keyColumn + " = '" + templateName + "'";
-
- return stmt.executeQuery(sql);
+ PreparedStatement ps = conn.prepareStatement("SELECT " + columnNames + " FROM "+ tableName + " WHERE " + keyColumn + " = ?");
+ ps.setString(1, templateName);
+ return ps.executeQuery();
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-dev-help@jakarta.apache.org