You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by Geoff Longman <gl...@gmail.com> on 2005/08/08 20:19:25 UTC

SQL Injection Attacks

Has anyone out there given any serious thought towards a strategy for
preventing these kinds of attacks in Tapestry forms?

examples:

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Geoff
-- 
The Spindle guy.           http://spindle.sf.net
Get help with Spindle:   
http://lists.sourceforge.net/mailman/listinfo/spindle-user
Announcement Feed:    
http://www.jroller.com/rss/glongman?catname=/Announcements
Feature Updates:            http://spindle.sf.net/updates

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Viktor Szathmary <ph...@gmail.com>.

On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> Thanks for all the information!
> 
> One last question with regards to ORMs that use prepared statements...
> 
> Would the safety, or lack thereof, of these prepared statements be
> dependant on the JDBC driver impementation?

Not unless they are completely broken and violate the
PreparedStatement implementation contract. This would mean that
binding a String containing some escape char like single quote would
break a SQL query - even the worst drivers I have seen implemented
this correctly :)

btw, for an external authority on "why/how to use PreparedStatement" see:

http://www.devx.com/security/Article/20678/0/page/2
http://en.wikipedia.org/wiki/SQL_injection

regards,
  viktor

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Geoff Longman <gl...@gmail.com>.

Thanks for all the information!

One last question with regards to ORMs that use prepared statements...

Would the safety, or lack thereof, of these prepared statements be
dependant on the JDBC driver impementation?

Geoff

On 8/8/05, t.n.a. <tn...@sharanet.org> wrote:
> Geoff Longman wrote:
> 
> >Has anyone out there given any serious thought towards a strategy for
> >preventing these kinds of attacks in Tapestry forms?
> >
> >examples:
> >
> >http://www.securiteam.com/securityreviews/5DP0N1P76E.html
> >
> >
> I know it's not what you asked, but it seems to me that SQL injection is
> not an issue when you use an object relational mapper like cayenne or
> hibernate, and (from what I can tell) rarely anyone works directly with
> raw SQL anymore.
> This immunity simply has to do with the fact that protection form such
> an attach is already integrated into the mapper so anything you pass it
> should be fairly safe.
> 
> This question has been asked, but you might have been looking in the
> wrong place (Tapestry related, instead of ORM related) or you simply
> don't presume your friend/colleague will use an ORM:
> http://forum.hibernate.org/viewtopic.php?t=929908&highlight=mysql+jdbc+driver
> http://jroller.com/comments/larrywilliams?anchor=secure_and_successful_posting_with
> http://www.sitepoint.com/forums/showthread.php?t=271353
> 
> For what it's worth, it seems that yes, using prepared statements also
> do the trick, but it's been so long since I last had to work at that
> level... :)
> 
> Cheers,
> Tomislav
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
> 


-- 
The Spindle guy.           http://spindle.sf.net
Get help with Spindle:   
http://lists.sourceforge.net/mailman/listinfo/spindle-user
Announcement Feed:    
http://www.jroller.com/rss/glongman?catname=/Announcements
Feature Updates:            http://spindle.sf.net/updates

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by "t.n.a." <tn...@sharanet.org>.

Geoff Longman wrote:

>Has anyone out there given any serious thought towards a strategy for
>preventing these kinds of attacks in Tapestry forms?
>
>examples:
>
>http://www.securiteam.com/securityreviews/5DP0N1P76E.html
>  
>
I know it's not what you asked, but it seems to me that SQL injection is
not an issue when you use an object relational mapper like cayenne or
hibernate, and (from what I can tell) rarely anyone works directly with
raw SQL anymore.
This immunity simply has to do with the fact that protection form such
an attach is already integrated into the mapper so anything you pass it
should be fairly safe.

This question has been asked, but you might have been looking in the
wrong place (Tapestry related, instead of ORM related) or you simply
don't presume your friend/colleague will use an ORM:
http://forum.hibernate.org/viewtopic.php?t=929908&highlight=mysql+jdbc+driver
http://jroller.com/comments/larrywilliams?anchor=secure_and_successful_posting_with
http://www.sitepoint.com/forums/showthread.php?t=271353

For what it's worth, it seems that yes, using prepared statements also
do the trick, but it's been so long since I last had to work at that
level... :)

Cheers,
Tomislav

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Joel Charlesworth <jc...@gmail.com>.

An additional tidbit of information, if you're using Hibernate for object 
persistence, it utilizes prepared statements to communicate with the 
underlying database.

There are various forum discussion about this, for example 
http://forum.hibernate.org/viewtopic.php?t=929908&highlight=sql+injection

Regards,

JRC

On 8/8/05, Mark Wilcox <ma...@gmail.com> wrote:
> 
> Prepared statements are "safer" because they reduce (essentially
> prevent) the inclusion of raw SQL.
> 
> All they can do is set a value of an expected SQL variable. On top of
> this Java can be used to make sure that you're passing in the proper 
> type of business logic data.
> 
> Mark
> 
> 
> 
> On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> > Cool. Is there a reference somewhere that describes why prepared 
> > statements are safe?
> >
> > Not that I don't trust you all, but the info isn't for me and I will
> > have no credibility without a link or something I can pass along.
> >
> > Thanks!
> >
> > Geoff
> >
> > On 8/8/05, Viktor Szathmary <ph...@gmail.com> wrote:
> > > hi,
> > >
> > > On 8/8/05, Geoff Longman < glongman@gmail.com> wrote:
> > > > Has anyone out there given any serious thought towards a strategy 
> for
> > > > preventing these kinds of attacks in Tapestry forms?
> > >
> > > using PreparedStatements with bound variables is a good enough 
> > > solution for SQL insertion (plus throw in the usual basic data
> > > validation for good measure).
> > >
> > > regards,
> > > viktor
> > >
> > > --------------------------------------------------------------------- 
> > > To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> > --
> > The Spindle guy. http://spindle.sf.net
> > Get help with Spindle:
> > http://lists.sourceforge.net/mailman/listinfo/spindle-user
> > Announcement Feed:
> > http://www.jroller.com/rss/glongman?catname=/Announcements
> > Feature Updates: http://spindle.sf.net/updates
> >
> > --------------------------------------------------------------------- 
> > To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
> 


-- 
===================
Joel Charlesworth
joelc@jrctech.com
jcharlesworth@gmail.com

Re: SQL Injection Attacks

Posted by Mark Wilcox <ma...@gmail.com>.

Prepared statements are "safer" because they reduce (essentially
prevent) the inclusion of raw SQL.

All they can do is set a value of an expected SQL variable. On top of
this Java can be used to make sure that you're passing in the proper
type of business logic data.

Mark 



On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> Cool. Is there a reference somewhere that describes why prepared
> statements are safe?
> 
> Not that I don't trust you all, but the info isn't for me and I will
> have no credibility without a link or something I can pass along.
> 
> Thanks!
> 
> Geoff
> 
> On 8/8/05, Viktor Szathmary <ph...@gmail.com> wrote:
> > hi,
> >
> > On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> > > Has anyone out there given any serious thought towards a strategy for
> > > preventing these kinds of attacks in Tapestry forms?
> >
> > using PreparedStatements with bound variables is a good enough
> > solution for SQL insertion (plus throw in the usual basic data
> > validation for good measure).
> >
> > regards,
> >   viktor
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> >
> >
> 
> 
> --
> The Spindle guy.           http://spindle.sf.net
> Get help with Spindle:
> http://lists.sourceforge.net/mailman/listinfo/spindle-user
> Announcement Feed:
> http://www.jroller.com/rss/glongman?catname=/Announcements
> Feature Updates:            http://spindle.sf.net/updates
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Geoff Longman <gl...@gmail.com>.

Thanks again all for the trove of information!

Geoff

On 8/8/05, Nick Westgate <ni...@key-planning.co.jp> wrote:
> Hi Geoff.
> 
> I deal with these regularly, and have stepped through JDBC drivers
> from the client side java all the way through to a server's (buggy)
> C++ driver in assembler.
> 
> Basically there are 2 reasons to use PreparedStatement.
> 1 - efficiency, since they're compiled, and the server can cache them
> and just stuff new parameters in for the next query. (Also batch them.)
> 
> 2 - safety, as mentioned it escapes the parameters, though the driver
> I deal with often has problems with parameter handling of Japanese
> characters when using PreparedStatement. The solution in this case is
> to use Statement and escape parameters yourself, which sucks!
> 
> Anyway, quick Google search:
> http://www.oracle.com/technology/oramag/oracle/02-sep/o52jdbc.html
> http://www.onjava.com/pub/a/onjava/2001/12/19/oraclejdbc.html?page=last
> 
> Cheers,
> Nick.
> 
> 
> Geoff Longman wrote:
> > Cool. Is there a reference somewhere that describes why prepared
> > statements are safe?
> >
> > Not that I don't trust you all, but the info isn't for me and I will
> > have no credibility without a link or something I can pass along.
> >
> > Thanks!
> >
> > Geoff
> >
> > On 8/8/05, Viktor Szathmary <ph...@gmail.com> wrote:
> >
> >>hi,
> >>
> >>On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> >>
> >>>Has anyone out there given any serious thought towards a strategy for
> >>>preventing these kinds of attacks in Tapestry forms?
> >>
> >>using PreparedStatements with bound variables is a good enough
> >>solution for SQL insertion (plus throw in the usual basic data
> >>validation for good measure).
> >>
> >>regards,
> >>  viktor
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> >>
> >>
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
> 


-- 
The Spindle guy.           http://spindle.sf.net
Get help with Spindle:   
http://lists.sourceforge.net/mailman/listinfo/spindle-user
Announcement Feed:    
http://www.jroller.com/rss/glongman?catname=/Announcements
Feature Updates:            http://spindle.sf.net/updates

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Nick Westgate <ni...@key-planning.co.jp>.

Hi Geoff.

I deal with these regularly, and have stepped through JDBC drivers
from the client side java all the way through to a server's (buggy)
C++ driver in assembler.

Basically there are 2 reasons to use PreparedStatement.
1 - efficiency, since they're compiled, and the server can cache them
and just stuff new parameters in for the next query. (Also batch them.)

2 - safety, as mentioned it escapes the parameters, though the driver
I deal with often has problems with parameter handling of Japanese
characters when using PreparedStatement. The solution in this case is
to use Statement and escape parameters yourself, which sucks!

Anyway, quick Google search:
http://www.oracle.com/technology/oramag/oracle/02-sep/o52jdbc.html
http://www.onjava.com/pub/a/onjava/2001/12/19/oraclejdbc.html?page=last

Cheers,
Nick.

Geoff Longman wrote:
> Cool. Is there a reference somewhere that describes why prepared
> statements are safe?
> 
> Not that I don't trust you all, but the info isn't for me and I will
> have no credibility without a link or something I can pass along.
> 
> Thanks!
> 
> Geoff
> 
> On 8/8/05, Viktor Szathmary <ph...@gmail.com> wrote:
> 
>>hi,
>>
>>On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
>>
>>>Has anyone out there given any serious thought towards a strategy for
>>>preventing these kinds of attacks in Tapestry forms?
>>
>>using PreparedStatements with bound variables is a good enough
>>solution for SQL insertion (plus throw in the usual basic data
>>validation for good measure).
>>
>>regards,
>>  viktor
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>>
>>
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Geoff Longman <gl...@gmail.com>.

Cool. Is there a reference somewhere that describes why prepared
statements are safe?

Not that I don't trust you all, but the info isn't for me and I will
have no credibility without a link or something I can pass along.

Thanks!

Geoff

On 8/8/05, Viktor Szathmary <ph...@gmail.com> wrote:
> hi,
> 
> On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> > Has anyone out there given any serious thought towards a strategy for
> > preventing these kinds of attacks in Tapestry forms?
> 
> using PreparedStatements with bound variables is a good enough
> solution for SQL insertion (plus throw in the usual basic data
> validation for good measure).
> 
> regards,
>   viktor
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
> 


-- 
The Spindle guy.           http://spindle.sf.net
Get help with Spindle:   
http://lists.sourceforge.net/mailman/listinfo/spindle-user
Announcement Feed:    
http://www.jroller.com/rss/glongman?catname=/Announcements
Feature Updates:            http://spindle.sf.net/updates

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Viktor Szathmary <ph...@gmail.com>.

hi,

On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> Has anyone out there given any serious thought towards a strategy for
> preventing these kinds of attacks in Tapestry forms?

using PreparedStatements with bound variables is a good enough
solution for SQL insertion (plus throw in the usual basic data
validation for good measure).

regards,
  viktor

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: SQL Injection Attacks

Posted by Nick Stuart <ba...@gmail.com>.

You can avoid most, if not all, of these types of attacks by using
prepared statements (either via straight JDBC or through your database
of choice internally). I've found that I've never had any reason to
NOT use PreparedStatements in either desktop or web based apps, and
one of the big helpers is that they automatically take care of parsing
out any weird characters that the database may not like.

-Nick

p.s. This isn't tapestry specific, it applies to ANY web based app
that is backed by a database, and allows straight query parameters in
the request line.

On 8/8/05, Geoff Longman <gl...@gmail.com> wrote:
> Has anyone out there given any serious thought towards a strategy for
> preventing these kinds of attacks in Tapestry forms?
> 
> examples:
> 
> http://www.securiteam.com/securityreviews/5DP0N1P76E.html
> 
> Geoff
> --
> The Spindle guy.           http://spindle.sf.net
> Get help with Spindle:
> http://lists.sourceforge.net/mailman/listinfo/spindle-user
> Announcement Feed:
> http://www.jroller.com/rss/glongman?catname=/Announcements
> Feature Updates:            http://spindle.sf.net/updates
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org