Hi Chris,

Java apps aren't "immune" from SQL Injection, but it's
much harder to process in Java. You could argue that
with a properly designed app it would be _impossible_
(if that is ever a valid statement). The app would
need to be written such that the code itself was not
subject to being snooped, overridden or overloaded by
malware at the client (i.e., declare strong
package-based controls and declaring public accessor
methods final -- as well as _using_ the security
manager facilities in the JVM), which would *prevent*
a malcontent from viewing your source or manipulating
it from across the net. If you do those things and
process your preparedstatements using strong input
parm filters, you are in pretty safe shape.

--- Chris L Todd <heartogoldlycos.com> wrote:
> Does anyone have experience testing Java apps that
> use JDBC prepared statements for SQL injection
> vulnerabilities? From what I've seen of the API, it
> looks like PreparedStatements pretty much prevent
> SQL injection. Am I correct?
>
> Most of the material I've found online seems to
> relate to MS SQL server SQL injection problems; I've
> found very little discussion of SQL injection
> vulnerabilities in JDBC libraries. Any help or
> pointers to more information would be greatly
> appreciated.
>
>
>
_______________________________________________________
> WIN a first class trip to Hawaii. Live like the
> King of Rock and Roll
> on the big Island. Enter Now!
>
http://r.lycos.com/r/sagel_mail/http://www.elvis.lycos.com/sweepstakes

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]