[Owasp-leaders] SimpleJDBCCall
Jim Manico
jim.manico at owasp.org
Tue Jan 12 21:41:35 UTC 2016
Keep in mind PreparedStatement is NOT /*automatic*/ SQL injection
protection. You need to bind each variable. THAT is what gives you the
SQLi protection (and significant performance boost regarding SQL runtime
execution).
Looking ahead, the future in frameworks is not manual binding - it's
*automatic binding* like we see in LINQ, ActiveRecord and similar
technologies.
Aloha,
Jim
On 1/12/16 11:34 AM, Matt Konda wrote:
> Not always.
>
> https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/jdbc/core/simple/SimpleJdbcCall.html
>
> https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/jdbc/core/JdbcTemplate.html#execute-java.lang.String-
>
> If it uses some of the richer methods, it can be.
>
> Matt
>
>
> On Mon, Jan 11, 2016 at 8:36 AM, Talal Basha <talal.basha at owasp.org
> <mailto:talal.basha at owasp.org>> wrote:
>
> Hello Leaders,
> Regarding the class SimpleJDBCCall in Spring framework, does it
> provide the same protection against SQLInjection as PreparedStatement?
>
> regards,
> Talal.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160112/ab9169bd/attachment-0001.html>
More information about the OWASP-Leaders
mailing list