[Owasp-leaders] SimpleJDBCCall

Jim Manico jim.manico at owasp.org
Tue Jan 12 21:41:35 UTC 2016


Keep in mind PreparedStatement is NOT /*automatic*/ SQL injection 
protection. You need to bind each variable. THAT is what gives you the 
SQLi protection (and significant performance boost regarding SQL runtime 
execution).

Looking ahead, the future in frameworks is not manual binding - it's 
*automatic binding* like we see in LINQ, ActiveRecord and similar 
technologies.

Aloha,
Jim


On 1/12/16 11:34 AM, Matt Konda wrote:
> Not always.
>
> https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/jdbc/core/simple/SimpleJdbcCall.html
>
> https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/jdbc/core/JdbcTemplate.html#execute-java.lang.String-
>
> If it uses some of the richer methods, it can be.
>
> Matt
>
>
> On Mon, Jan 11, 2016 at 8:36 AM, Talal Basha <talal.basha at owasp.org 
> <mailto:talal.basha at owasp.org>> wrote:
>
>     Hello Leaders,
>     Regarding the class SimpleJDBCCall in Spring framework, does it
>     provide the same protection against SQLInjection as PreparedStatement?
>
>     regards,
>     Talal.
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160112/ab9169bd/attachment-0001.html>


More information about the OWASP-Leaders mailing list