[Webappsec] Automatically detecting injections
silky
michaelslists at gmail.com
Mon Apr 28 17:59:31 EDT 2008
On Mon, Apr 28, 2008 at 8:34 PM, Jim Manico <jim at manico.net> wrote:
>
> > yes, but there is no *way* you can make such a claim after performing
> only that sort of check.
>
> I thinkJeff is correct. It is impossible to perform a SQL Injection on a
> Java program of any kind if the programmer is using the PreparedStatement
> class AND binding all untrusted/user-driven variables to the query like so:
with that query yes, not with a query that may do something else.
it's really weird and unwise to be claming 'total security' for any
sort of given pattern _anyway_, i'm a bit surprised to see 'owasp'
taking that stance, but consider of the underlying sql statement were:
--
exec (?)
--
> PreparedStatement ps = conn.prepareStatement("UPDATE Messages SET
> description = ?, author = ? WHERE id = ? AND seq_num = ?");
> ps.setString(1,description);
> ps.setString(2,author);
> ps.setInt(3,id);
> ps.setInt(4,seqNum);
> ps.executeUpdate();
> This is a rather easy pattern to code review for.
>
> PraparedStatement alone will not secure your code from SQL Injection. It's
> the combonation of the PreparedStatement AND binding of data from untrusted
> sources. Queries created from String concatenation where variables come from
> untrusted sources are injectable.
>
> If you can find a way to inject the code sample above, you would be the
> first to do so and should publish a paper.
why the attitude?
> - Jim
--
http://lets.coozi.com.au/
More information about the Webappsec
mailing list