I am working on the Java language section of the OWASP Guide to Securing Web
Applications, and I have a question for the list. Have any of you elite SQL
Injectors ever been able to hack an application that was using JDBC
PreparedStatements? Are any of you aware of a theoretical reason this
should be impossible? I have tried, and been unsuccessful, to perform SQL
injection on an example app I coded up, but then again, I am not the world's
most talented SQL Injector.
On another note, have any of you ever successfully used SQL Injection
against a web app that was using Castor JDO, or other similar
Object-Relational mapping tools? Again, I have tried to attack an example
app I coded up and failed. Same question - is it theoretically impossible
to execute SQL injection against apps coded using these techniques and
tools?
I ask these questions because I think these two techniques can be used
effectively to thwart (or at least make more difficult) SQL injection
attacks against Java-based web apps, but I want to validate that belief to
the best extent I can prior to putting such statements into the Guide.
Thanks in advance for any help you can provide, as it will improve the
quality and usefullness of the Guide.
Chris
Received on Dec 30 2002
Intro
