WebApp Sec: Re: Re: JDBC protections against SQL Injection

[jjs_ritasa () verizon net]

I just posted a blog on this thread at:

http://realeyes-tech.blogspot.com/2009/03/database-security.html

It covers what JDBC does for you security-wise (almost nothing), what I think the solution should be, and points you 
toward what I have done  in my application's UI.  If anyone has any more ideas, I would welcome them.

Later . . .   Jim
http://realeyes.sourceforge.net/


???ƒ?? * wrote:

> > Hey,
> >
> > This preach is applicable for any programming language. It all depends
> > on how well you have done input & output validation. As in what input
> > you expect & what input is malicious for your app. If all goes well
> > you can make SQL injection very difficult or even impossible . The
> > reason I say difficult, because it all depends on how well the SQL
> > injection is crafted. As far as I recollect I don't think JDBC or for
> > that case even java gives you predefined class for doing that. But
> > there is quite a possibility that some one on the internet must have
> > surely written these classes.
> >
> > --
> > Taufiq
> > http://www.niiconsulting.com/products/iso_toolkit.html
> >
> >
> >
> > 2009/3/16  <lister () lihim org>:
> > > > I've heard this preached before.
> > > >
> > > > Using JDBC properly can help protect against SQL Injection.
> > > >
> > > > What protections does JDBC provide?
> > > >
> > > > Does java encode the input to not be malicious?
> > > >
> > > > I'm curious where in the java source/libraries does jdbc help
> > > > to mitigate malicious input when using jdbc.