[Esapi-dev] [Esapi-user] [OWASP-ESAPI] Any codec for Sybase?
Calderon, Juan Carlos (GE, Corporate, consultant)
juan.calderon at ge.com
Thu Sep 23 12:18:53 EDT 2010
Still think is possible, what about something like this:
public ResultSet SelectRecords (string query, ParamArray params) {
Statement pstmt = this.conn.createStatement();
if (ContainsOnTheFlyValues (query)) { // Look for static values like strings between quotes and dates between Pounds
thow new ApplicationException ("Queries cannot contain static values, use parameters collection to pass data to the query")
return null;
}
for (int i=0; i<params.length; i++) {
QueryParam param = params[i];
switch (param.type){
case ParamType.int:
pstmt.setString(i, (int)param.value);
break;
case ParamType.string:
pstmt.setString(i, param.value.toString());
break;
.... //more cases here
}
}
try {
return st.executeQuery(query);
} finally {
rs.close();
st.close();
}
}
I think is generic enough and safe enough, except maybe for numeric sql injection which will not be detected by "ContainsOnTheFlyValues"
Regards,
Juan C Calderon
________________________________
From: Jim Manico [mailto:jim.manico at owasp.org]
Sent: Miércoles, 22 de Septiembre de 2010 08:57 p.m.
To: Calderon, Juan Carlos (GE, Corporate, consultant); 'John Melton'
Cc: 'Vasten'; 'ESAPI-Developers'; esapi-user at lists.owasp.org
Subject: RE: [Esapi-dev] [Esapi-user] [OWASP-ESAPI] Any codec for Sybase?
> What about creating a DAO layer that uses prepared statements under the hood and flagging encoders as deprecated?
The problem is, those DAO layers are normally very specific to each app. But I agree, most apps should be written with PreparedStatements or HQL. Even better, use the object based query API's found in Hibernate and other ORM's. It would be difficult to pull that off in ESAPI so its generic for everyone.
- Jim
From: Calderon, Juan Carlos (GE, Corporate, consultant) [mailto:juan.calderon at ge.com]
Sent: Friday, September 17, 2010 5:02 AM
To: Jim Manico; John Melton
Cc: Vasten; ESAPI-Developers; esapi-user at lists.owasp.org
Subject: RE: [Esapi-dev] [Esapi-user] [OWASP-ESAPI] Any codec for Sybase?
What about creating a DAO layer that uses prepared statements under the hood and flagging encoders as deprecated? new classes will be secure and old classes would be still available (with a warning of the compiler)
Regards,
Juan C Calderon
________________________________
From: esapi-dev-bounces at lists.owasp.org [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Jueves, 16 de Septiembre de 2010 09:43 p.m.
To: John Melton
Cc: Vasten; ESAPI-Developers; esapi-user at lists.owasp.org
Subject: Re: [Esapi-dev] [Esapi-user] [OWASP-ESAPI] Any codec for Sybase?
They are last resort. There are edge (very edgy) cases where PreparedStatements dramatically harm performance and manual escaping is required. I will review the JavaDoc and explain this in better detail.
-Jim Manico
http://manico.net
On Sep 16, 2010, at 9:29 PM, John Melton <jtmelton at gmail.com> wrote:
Jim,
If the DB encoders are not recommended, should they be removed, or at least deprecated for future removal?
Thanks,
John
On Thu, Sep 16, 2010 at 10:22 PM, Jim Manico <jim.manico at owasp.org> wrote:
No to Sybase, and please do NOT use the database encoders! They are a (terrible) last resort (nor can we guarantee perfect SQL Injection protection if you use them to escape dynamic queries).
If you want complete SQL injection protection, you should be using the Java PreparedStatement class, variable binding, and the latest Sybase JDBC driver.
Respectfully,
-Jim Manico
http://manico.net
On Sep 16, 2010, at 8:17 PM, Vasten <vasten at gmail.com> wrote:
> Hi:
> I see codecs for Oracle and MySQL, is there one for Sybase?
>
> Thanks,
> keith
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100923/a9634ac1/attachment.html
More information about the Esapi-dev
mailing list