SQL Injection and prepared statements.

[vs]

Just came across ActiveJDBC and am investigaing it's use in a project where security is a big concern.

Wondering if the query and statement composition is parameterized with ActiveJDBC. 

Any pointers on how to use ActiveJDBC in a secure fashion would be much appreciated. 

cheers,

-vs

[igor]

SQL injection is a web application problem, and not directly related to an ORM. ActiveJDBC will process any SQL that is passed to it. 

[Lukas Eder]

Hi Igor,

While I think that you're generally right ("SQL injection is a web application problem"), I still think it is a problem "directly related to an ORM". Your claim made me think about this issue and I wrapped it up in a blog post here:

http://blog.jooq.org/2012/07/29/database-abstraction-and-sql-injection/ 

I can back up the fact that SQL injection cannot and should not be prevented in ActiveJDBC, given that some of its main API elements are "SQL injection methods", such as where():

   Employee.where("department = ? and hire_date > ? ", "IT", hireDate)

But I think that ActiveJDBC should actively position itself with respect to this topic. Tell me what you think!

Cheers

Lukas

[igor]

Lukas, I read your post and it got me thinking. you have all valid points, I will explore this a bit more. I think it also deserves a blog of my own too

thanks
igor

[ipolevoy]

Guys, my response here:

http://igorpolevoy.blogspot.com/2012/07/defend-against-activejdbc-from-sql.html

tx

[igor]

Apologies, that was a bad link, this is a good one:

http://igorpolevoy.blogspot.com/2012/07/defend-against-sql-injection-using.html

[Lukas Eder]

Great Igor,

I've referenced to your post from mine.

Cheers

Lukas

[qica...@hulu.com]

Hi, igor, I meet the same problem, and the picture in your blog is not available now.
Can you give some details about this sql injection problem?

[igor]

Hi, there. Somehow the images broke, but I restored the content without images - take a look