You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Henri Yandell <fl...@gmail.com> on 2008/01/17 08:52:58 UTC
[configuration] DatabaseConfiguration - should it escape SQL?
Should the DatabaseConfiguration class be responsible for protecting
against SQL Injection, or should we make sure the javadoc states that
it offers no protection and leave that up to the user?
Hen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [configuration] DatabaseConfiguration - should it escape SQL?
Posted by Hasan Diwan <ha...@gmail.com>.
On 19/01/2008, Oliver Heger <ol...@oliver-heger.de> wrote:
> I created a ticket for this issue [1], so that it won't get lost.
I've actually submitted a patch to fix the "problem".
--
Cheers,
Hasan Diwan <ha...@gmail.com>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [configuration] DatabaseConfiguration - should it escape SQL?
Posted by Oliver Heger <ol...@oliver-heger.de>.
Henri Yandell schrieb:
> On Jan 17, 2008 1:17 PM, Oliver Heger <ol...@oliver-heger.de> wrote:
>> Henri Yandell schrieb:
>>
>>> Should the DatabaseConfiguration class be responsible for protecting
>>> against SQL Injection, or should we make sure the javadoc states that
>>> it offers no protection and leave that up to the user?
>>>
>>> Hen
>>>
>> Adding a note about this topic to the documentation would certainly do
>> no harm.
>>
>> From a short look at the code I think that chances for SQL Injection on
>> a correctly initialized DatabaseConfiguration (i.e. the settings for the
>> database table are valid) are pretty small: Everywhere
>> PreparedStatements are used.
>
> Fortify was flagging for all the places where prepared statements are
> built from strings with variables in them - ie) columnName etc.
>
> I think this is a case of the SQL Injection worry being outside the
> scope of the library. For example; no one is concerned that java.sql
> has SQL Injection issues.
>
> +1 to the javadoc.
>
> Hen
>
I created a ticket for this issue [1], so that it won't get lost.
Oliver
[1] https://issues.apache.org/jira/browse/CONFIGURATION-304
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [configuration] DatabaseConfiguration - should it escape SQL?
Posted by Henri Yandell <fl...@gmail.com>.
On Jan 17, 2008 1:17 PM, Oliver Heger <ol...@oliver-heger.de> wrote:
> Henri Yandell schrieb:
>
> > Should the DatabaseConfiguration class be responsible for protecting
> > against SQL Injection, or should we make sure the javadoc states that
> > it offers no protection and leave that up to the user?
> >
> > Hen
> >
>
> Adding a note about this topic to the documentation would certainly do
> no harm.
>
> From a short look at the code I think that chances for SQL Injection on
> a correctly initialized DatabaseConfiguration (i.e. the settings for the
> database table are valid) are pretty small: Everywhere
> PreparedStatements are used.
Fortify was flagging for all the places where prepared statements are
built from strings with variables in them - ie) columnName etc.
I think this is a case of the SQL Injection worry being outside the
scope of the library. For example; no one is concerned that java.sql
has SQL Injection issues.
+1 to the javadoc.
Hen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [configuration] DatabaseConfiguration - should it escape SQL?
Posted by Oliver Heger <ol...@oliver-heger.de>.
Henri Yandell schrieb:
> Should the DatabaseConfiguration class be responsible for protecting
> against SQL Injection, or should we make sure the javadoc states that
> it offers no protection and leave that up to the user?
>
> Hen
>
Adding a note about this topic to the documentation would certainly do
no harm.
From a short look at the code I think that chances for SQL Injection on
a correctly initialized DatabaseConfiguration (i.e. the settings for the
database table are valid) are pretty small: Everywhere
PreparedStatements are used.
Oliver
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org