Here are my two cents from Java Perspective.
The principal behind SQL injection is pretty simple. When an
application takes user data as an input, there is an opportunity
for a malicious user to enter carefully crafted data that causes
the input to be interpreted as part of a SQL query instead of data.
For example, imagine this line of code:
SELECT * FROM Users WHERE Username='$username' AND
Password='$password'
which is designed to show all records from the table "Users" for a
username and password supplied by a user. Using a Web interface,
when prompted for his username and password, a malicious user might
enter:
1' or '1' = '1
1' or '1' = '1
resulting in the query:
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND
Password='1' OR '1' = '1'
The hacker has effectively injected a whole OR condition into the
authentication process. Worse, the condition '1' = '1' is always
true, so this SQL query will always result in the authentication
process being bypassed.
PreCautions :
# Always use java.sql.preparedStatement instead of Statement
# If you project is using EQL instead of SQL, then more safe.
as this has to be translated yet again from EQL to SQL, which gives more opportunity for the intervening software (JPA and the JDBC driver) opportunity to prevent a SQL injection from happening.
This explained in detail @
http://www.cisco.com/web/about/security/intelligence/sql_injection.html
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
Cheat SHEET ->
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Read more on SQL Injection @
https://www.owasp.org/index.php/SQL_Injection
# Always use java.sql.preparedStatement instead of Statement
as this has to be translated yet again from EQL to SQL, which gives more opportunity for the intervening software (JPA and the JDBC driver) opportunity to prevent a SQL injection from happening.
1 comment:
good
Post a Comment