[Esapi-user] Esapi-user Digest, Vol 20, Issue 12

Jeff Williams jeff.williams at aspectsecurity.com
Fri Jul 29 00:12:47 EDT 2011

The language in Encoder.encodeForSQL javadoc seems pretty clear to me.
But I suppose that someone could go straight to the codec package and
use them directly.  That suggests that each Codec should probably point
back to the Encoder as the right interface to use.  I also think some
package-level documentation for the codecs package makes sense.  Then
each of the database codecs (DB2, MySQL, Oracle) should have a
restatement of the warning below.


The JavaDoc is a nice start, but I think the most effective place for
this type of guidance is in an "ESAPI Book" that describes the purpose
and general use of each of the packages.





java.lang.String encodeForSQL(Codec
sapi/codecs/Codec.html>  codec,

                              java.lang.String input)

Encode input for use in a SQL query, according to the selected codec
(appropriate codecs include the MySQLCodec and OracleCodec). This method
is not recommended. The use of the PreparedStatement interface is the
preferred approach. However, if for some reason this is impossible, then
this method is provided as a weaker alternative. The best approach is to
make sure any single-quotes are double-quoted. Another possible approach
is to use the {escape} syntax described in the JDBC specification in
section 1.5.6. However, this syntax does not work with all drivers, and
requires modification of all queries.


codec - a Codec that declares which database 'input' is being encoded
for (ie. MySQL, Oracle, etc.)

input - the text to encode for SQL


input encoded for use in SQL

See Also:

JDBC Specification






From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: Thursday, July 28, 2011 7:10 PM
To: Dan Cornell
Cc: Jeff Williams; Rama Krishna Pathangi; ESAPI User Group
Subject: Re: [Esapi-user] Esapi-user Digest, Vol 20, Issue 12


Good deal, Dan :) After I get this patch I'll poke around and see where
else I can add this info.


Thanks all, 
- Jim Manico

On Jul 28, 2011, at 10:08 AM, Dan Cornell <dan at denimgroup.com> wrote:

	I'll do you one better and send you a patch. Bigger question is
where else does this guidance need to go?





	Sent from my iPhone

	On Jul 28, 2011, at 9:52 AM, "Jim Manico" <jim.manico at owasp.org>

		I agree Dan, we really need stronger javadoc language
here. Can you please register a bug on google code for this and assign
to me?  I'll handle it as soon as I can.
		- Jim Manico

		On Jul 28, 2011, at 8:33 AM, Dan Cornell
<dan at denimgroup.com> wrote:

			I agree 100%, Jeff. All encoders are important
for intrusion detection and canonicalization. I was *only* commenting on
my desire to see dev's use query parameterization over manual encoding. 


			Sorry for the mix up.


			What is the best way to communicate that to
developers so that the Codecs aren't misused?  The Javadocs  for the
database codecs could be updated and that might help.  Any other ideas?






-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110729/6f5107fa/attachment.html 

More information about the Esapi-user mailing list