You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by David Graham <gr...@yahoo.com> on 2003/10/24 17:47:09 UTC
[OT] Re: far reaching db question
> I create DB-Inserts from my struts application.
> But If an user types in the sign ' any dynamicly created inserts fail.
> This ist because of the sql-syntax which divides the string which will
> be
> saved with '.
>
> For example: insert into table test (name, number) values ('mr burns',
> '01723256477');
>
> How can I handle inserts in html-formulars which have the typed sign ' ?
>
Always use PreparedStatements. They handle the ' for you and prevent
other SQL injection attacks.
David
> Greetings,
> Manuel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Antwort: [OT] Re: far reaching db question
Posted by Kwok Peng Tuck <pe...@makmal.net>.
I guess depending on the driver for the db, it would know what to do to
escape the quotes.
Hmm, shouldn't :
prepare.executeQuery(sql) ;
be this instead :
prepare.executeUpdate(sql) ;
?
Anwyay Manuel, what error are you getting ?
Manuel Lenz wrote:
>How do preparedStatements handle single quotes and other injection
>attacks?
>I changed my db-connection from a normal statement-conding into prepared
>statements.
>But the error ist still the same.
>
>Here ist my test-coding:
>Connection conn = null;
> PreparedStatement prepare = null;
> ServletContext context = as.getServletContext();
> boolean ret = false;
>
> try
> {
> DataSource ds = (DataSource)
>context.getAttribute(Action.DATA_SOURCE_KEY);
>
> // Update Banf-Daten
> String sql = "update tab_article set ..."
> System.out.println (sql);
>
> conn = ds.getConnection();
> prepare = conn.prepareStatement(sql);
> prepare.executeQuery(sql);
> }
> catch (Exception ex)
> ....
>
>Do I need some extra coding for injection attacks, or is this coding
>wrong?
>
>Regards,
>Manuel
>
>
>
>
>
>
>David Graham <gr...@yahoo.com>
>24.10.2003 17:47
>Bitte antworten an "Struts Users Mailing List"
>
> An: Struts Users Mailing List <st...@jakarta.apache.org>
> Kopie:
> Thema: [OT] Re: far reaching db question
>
>
>
>
>>I create DB-Inserts from my struts application.
>>But If an user types in the sign ' any dynamicly created inserts fail.
>>This ist because of the sql-syntax which divides the string which will
>>be
>>saved with '.
>>
>>For example: insert into table test (name, number) values ('mr burns',
>>'01723256477');
>>
>>How can I handle inserts in html-formulars which have the typed sign ' ?
>>
>>
>>
>
>Always use PreparedStatements. They handle the ' for you and prevent
>other SQL injection attacks.
>
>David
>
>
>
>>Greetings,
>>Manuel
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Antwort: RE: Antwort: [OT] Re: far reaching db question
Posted by Manuel Lenz <Lz...@viessmann.com>.
How can I do that?
"Navjot Singh" <na...@net4india.net>
28.10.2003 12:32
Bitte antworten an "Struts Users Mailing List"
An: "Struts Users Mailing List"
<st...@jakarta.apache.org>
Kopie:
Thema: RE: Antwort: [OT] Re: far reaching db question
you should escape your sql data values for mischieveous chars like single
quotes etc.
>-----Original Message-----
>From: Manuel Lenz [mailto:LzM@viessmann.com]
>Sent: Tuesday, October 28, 2003 4:33 PM
>To: Struts Users Mailing List
>Subject: Antwort: [OT] Re: far reaching db question
>
>
>How do preparedStatements handle single quotes and other injection
>attacks?
>I changed my db-connection from a normal statement-conding into prepared
>statements.
>But the error ist still the same.
>
>Here ist my test-coding:
>Connection conn = null;
> PreparedStatement prepare = null;
> ServletContext context = as.getServletContext();
> boolean ret = false;
>
> try
> {
> DataSource ds = (DataSource)
>context.getAttribute(Action.DATA_SOURCE_KEY);
>
> // Update Banf-Daten
> String sql = "update tab_article set ..."
> System.out.println (sql);
>
> conn = ds.getConnection();
> prepare = conn.prepareStatement(sql);
> prepare.executeQuery(sql);
> }
> catch (Exception ex)
> ....
>
>Do I need some extra coding for injection attacks, or is this coding
>wrong?
>
>Regards,
>Manuel
>
>
>
>
>
>
>David Graham <gr...@yahoo.com>
>24.10.2003 17:47
>Bitte antworten an "Struts Users Mailing List"
>
> An: Struts Users Mailing List
<st...@jakarta.apache.org>
> Kopie:
> Thema: [OT] Re: far reaching db question
>
>
>> I create DB-Inserts from my struts application.
>> But If an user types in the sign ' any dynamicly created inserts fail.
>> This ist because of the sql-syntax which divides the string which will
>> be
>> saved with '.
>>
>> For example: insert into table test (name, number) values ('mr burns',
>> '01723256477');
>>
>> How can I handle inserts in html-formulars which have the typed sign '
?
>>
>
>Always use PreparedStatements. They handle the ' for you and prevent
>other SQL injection attacks.
>
>David
>
>> Greetings,
>> Manuel
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Antwort: [OT] Re: far reaching db question
Posted by Navjot Singh <na...@net4india.net>.
you should escape your sql data values for mischieveous chars like single
quotes etc.
>-----Original Message-----
>From: Manuel Lenz [mailto:LzM@viessmann.com]
>Sent: Tuesday, October 28, 2003 4:33 PM
>To: Struts Users Mailing List
>Subject: Antwort: [OT] Re: far reaching db question
>
>
>How do preparedStatements handle single quotes and other injection
>attacks?
>I changed my db-connection from a normal statement-conding into prepared
>statements.
>But the error ist still the same.
>
>Here ist my test-coding:
>Connection conn = null;
> PreparedStatement prepare = null;
> ServletContext context = as.getServletContext();
> boolean ret = false;
>
> try
> {
> DataSource ds = (DataSource)
>context.getAttribute(Action.DATA_SOURCE_KEY);
>
> // Update Banf-Daten
> String sql = "update tab_article set ..."
> System.out.println (sql);
>
> conn = ds.getConnection();
> prepare = conn.prepareStatement(sql);
> prepare.executeQuery(sql);
> }
> catch (Exception ex)
> ....
>
>Do I need some extra coding for injection attacks, or is this coding
>wrong?
>
>Regards,
>Manuel
>
>
>
>
>
>
>David Graham <gr...@yahoo.com>
>24.10.2003 17:47
>Bitte antworten an "Struts Users Mailing List"
>
> An: Struts Users Mailing List <st...@jakarta.apache.org>
> Kopie:
> Thema: [OT] Re: far reaching db question
>
>
>> I create DB-Inserts from my struts application.
>> But If an user types in the sign ' any dynamicly created inserts fail.
>> This ist because of the sql-syntax which divides the string which will
>> be
>> saved with '.
>>
>> For example: insert into table test (name, number) values ('mr burns',
>> '01723256477');
>>
>> How can I handle inserts in html-formulars which have the typed sign ' ?
>>
>
>Always use PreparedStatements. They handle the ' for you and prevent
>other SQL injection attacks.
>
>David
>
>> Greetings,
>> Manuel
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Antwort: [OT] Re: far reaching db question
Posted by David Graham <gr...@yahoo.com>.
--- Manuel Lenz <Lz...@viessmann.com> wrote:
> How do preparedStatements handle single quotes and other injection
> attacks?
This is JDBC driver dependent. Each database might handle single quote
escaping differently; however, doubling them with another single quote
seems to be common.
> I changed my db-connection from a normal statement-conding into prepared
>
> statements.
> But the error ist still the same.
>
> Here ist my test-coding:
> Connection conn = null;
> PreparedStatement prepare = null;
> ServletContext context = as.getServletContext();
> boolean ret = false;
>
> try
> {
> DataSource ds = (DataSource)
> context.getAttribute(Action.DATA_SOURCE_KEY);
>
> // Update Banf-Daten
> String sql = "update tab_article set ..."
> System.out.println (sql);
>
> conn = ds.getConnection();
> prepare = conn.prepareStatement(sql);
> prepare.executeQuery(sql);
> }
> catch (Exception ex)
You should be catching SQLException here. Catching Exception is almost
*always* wrong. You should also have a finally block that closes the
connection.
> ....
>
> Do I need some extra coding for injection attacks, or is this coding
> wrong?
No, the driver should handle this for you. You can test it by stringing
together two SQL statements with a ; in between and see if both get
executed. If the driver is doing its job, you'll get an SQLException.
David
>
> Regards,
> Manuel
>
>
>
>
>
>
> David Graham <gr...@yahoo.com>
> 24.10.2003 17:47
> Bitte antworten an "Struts Users Mailing List"
>
> An: Struts Users Mailing List
> <st...@jakarta.apache.org>
> Kopie:
> Thema: [OT] Re: far reaching db question
>
>
> > I create DB-Inserts from my struts application.
> > But If an user types in the sign ' any dynamicly created inserts fail.
> > This ist because of the sql-syntax which divides the string which will
> > be
> > saved with '.
> >
> > For example: insert into table test (name, number) values ('mr burns',
> > '01723256477');
> >
> > How can I handle inserts in html-formulars which have the typed sign '
> ?
> >
>
> Always use PreparedStatements. They handle the ' for you and prevent
> other SQL injection attacks.
>
> David
>
> > Greetings,
> > Manuel
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Antwort: [OT] Re: far reaching db question
Posted by Manuel Lenz <Lz...@viessmann.com>.
How do preparedStatements handle single quotes and other injection
attacks?
I changed my db-connection from a normal statement-conding into prepared
statements.
But the error ist still the same.
Here ist my test-coding:
Connection conn = null;
PreparedStatement prepare = null;
ServletContext context = as.getServletContext();
boolean ret = false;
try
{
DataSource ds = (DataSource)
context.getAttribute(Action.DATA_SOURCE_KEY);
// Update Banf-Daten
String sql = "update tab_article set ..."
System.out.println (sql);
conn = ds.getConnection();
prepare = conn.prepareStatement(sql);
prepare.executeQuery(sql);
}
catch (Exception ex)
....
Do I need some extra coding for injection attacks, or is this coding
wrong?
Regards,
Manuel
David Graham <gr...@yahoo.com>
24.10.2003 17:47
Bitte antworten an "Struts Users Mailing List"
An: Struts Users Mailing List <st...@jakarta.apache.org>
Kopie:
Thema: [OT] Re: far reaching db question
> I create DB-Inserts from my struts application.
> But If an user types in the sign ' any dynamicly created inserts fail.
> This ist because of the sql-syntax which divides the string which will
> be
> saved with '.
>
> For example: insert into table test (name, number) values ('mr burns',
> '01723256477');
>
> How can I handle inserts in html-formulars which have the typed sign ' ?
>
Always use PreparedStatements. They handle the ' for you and prevent
other SQL injection attacks.
David
> Greetings,
> Manuel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org