You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@velocity.apache.org by he...@apache.org on 2006/09/17 14:28:23 UTC

svn commit: r447056 - /jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java

Author: henning
Date: Sun Sep 17 05:28:22 2006
New Revision: 447056

URL: http://svn.apache.org/viewvc?view=rev&rev=447056
Log:
Using a prepared statement for the retrieval, thus reducing the risk
of a SQL injection attack on Velocity driven applications that use a
DataSourceResourceLoader. As the id to retrieve is passed in from user
space, there is a small risk that this name could be carefully crafted
to allow an SQL injection attack. Using a PreparedStatement should
prevent this. Suggested by FindBugs.


Modified:
    jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java

Modified: jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java
URL: http://svn.apache.org/viewvc/jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java?view=diff&rev=447056&r1=447055&r2=447056
==============================================================================
--- jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java (original)
+++ jakarta/velocity/engine/trunk/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java Sun Sep 17 05:28:22 2006
@@ -19,9 +19,9 @@
 import java.io.BufferedInputStream;
 import java.io.InputStream;
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-import java.sql.Statement;
 import java.sql.Timestamp;
 
 import javax.naming.InitialContext;
@@ -409,13 +409,9 @@
      private ResultSet readData(final Connection conn, final String columnNames, final String templateName)
          throws SQLException
      {
-         Statement stmt = conn.createStatement();
-
-         String sql = "SELECT " + columnNames
-                      + " FROM " + tableName
-                      + " WHERE " + keyColumn + " = '" + templateName + "'";
-
-         return stmt.executeQuery(sql);
+	 PreparedStatement ps = conn.prepareStatement("SELECT " + columnNames + " FROM "+ tableName + " WHERE " + keyColumn + " = ?");
+	 ps.setString(1, templateName);
+	 return ps.executeQuery();
      }
 }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-dev-help@jakarta.apache.org