[Esapi-user] [Esapi-dev] [OWASP-ESAPI] Any codec for Sybase?

Jim Manico jim.manico at owasp.org
Wed Sep 22 21:56:48 EDT 2010


> What about creating a DAO layer that uses prepared statements under the
hood and flagging encoders as deprecated? 

 

The problem is, those DAO layers are normally very specific to each  app.
But I agree, most apps should be written with PreparedStatements or HQL.
Even better, use the object based query API's found in Hibernate and other
ORM's. It would be difficult to pull that off in ESAPI so its generic for
everyone.

 

- Jim

 

From: Calderon, Juan Carlos (GE, Corporate, consultant)
[mailto:juan.calderon at ge.com] 
Sent: Friday, September 17, 2010 5:02 AM
To: Jim Manico; John Melton
Cc: Vasten; ESAPI-Developers; esapi-user at lists.owasp.org
Subject: RE: [Esapi-dev] [Esapi-user] [OWASP-ESAPI] Any codec for Sybase?

 

What about creating a DAO layer that uses prepared statements under the hood
and flagging encoders as deprecated? new classes will be secure and old
classes would be still available (with a warning of the compiler) 

 

Regards,

Juan C Calderon

 

  _____  

From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Jueves, 16 de Septiembre de 2010 09:43 p.m.
To: John Melton
Cc: Vasten; ESAPI-Developers; esapi-user at lists.owasp.org
Subject: Re: [Esapi-dev] [Esapi-user] [OWASP-ESAPI] Any codec for Sybase?

They are last resort. There are edge (very edgy) cases where
PreparedStatements dramatically harm performance and manual escaping is
required. I will review the JavaDoc and explain this in better detail.


-Jim Manico 

http://manico.net


On Sep 16, 2010, at 9:29 PM, John Melton <jtmelton at gmail.com> wrote:

Jim, 
If the DB encoders are not recommended, should they be removed, or at least
deprecated for future removal?  

Thanks,
John

On Thu, Sep 16, 2010 at 10:22 PM, Jim Manico <jim.manico at owasp.org> wrote:

No to Sybase, and please do NOT use the database encoders! They are a
(terrible) last resort (nor can we guarantee perfect SQL Injection
protection if you use them to escape dynamic queries).

If you want complete SQL injection protection, you should be using the Java
PreparedStatement class, variable binding, and the latest Sybase JDBC
driver.

Respectfully,

-Jim Manico
http://manico.net


On Sep 16, 2010, at 8:17 PM, Vasten <vasten at gmail.com> wrote:

> Hi:
> I see codecs for Oracle and MySQL, is there one for Sybase?
>
> Thanks,
> keith

> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100922/abc44dee/attachment.html 


More information about the Esapi-user mailing list