SQL Injection and prepared statements.

245 views
Skip to first unread message

vs

unread,
Jul 26, 2012, 6:04:10 PM7/26/12
to activejd...@googlegroups.com
Just came across ActiveJDBC and am investigaing it's use in a project where security is a big concern.
Wondering if the query and statement composition is parameterized with ActiveJDBC. 

Any pointers on how to use ActiveJDBC in a secure fashion would be much appreciated. 

cheers,
-vs

igor

unread,
Jul 27, 2012, 2:08:46 PM7/27/12
to activejd...@googlegroups.com
SQL injection is a web application problem, and not directly related to an ORM. ActiveJDBC will process any SQL that is passed to it. 

Lukas Eder

unread,
Jul 29, 2012, 10:53:00 AM7/29/12
to activejd...@googlegroups.com
Hi Igor,

While I think that you're generally right ("SQL injection is a web application problem"), I still think it is a problem "directly related to an ORM". Your claim made me think about this issue and I wrapped it up in a blog post here:

I can back up the fact that SQL injection cannot and should not be prevented in ActiveJDBC, given that some of its main API elements are "SQL injection methods", such as where():

   Employee.where("department = ? and hire_date > ? ", "IT", hireDate)

But I think that ActiveJDBC should actively position itself with respect to this topic. Tell me what you think!

Cheers
Lukas

igor

unread,
Jul 30, 2012, 1:13:07 PM7/30/12
to activejd...@googlegroups.com
Lukas, I read your post and it got me thinking. you have all valid points, I will explore this a bit more. I think it also deserves a blog of my own too

thanks
igor

ipolevoy

unread,
Jul 30, 2012, 3:21:33 PM7/30/12
to activejd...@googlegroups.com

igor

unread,
Jul 30, 2012, 3:38:31 PM7/30/12
to activejd...@googlegroups.com
Apologies, that was a bad link, this is a good one:

Lukas Eder

unread,
Jul 31, 2012, 7:41:44 AM7/31/12
to activejd...@googlegroups.com
Great Igor,

I've referenced to your post from mine.

Cheers
Lukas

qica...@hulu.com

unread,
Nov 29, 2015, 10:35:39 PM11/29/15
to ActiveJDBC Group
Hi, igor, I meet the same problem, and the picture in your blog is not available now.
Can you give some details about this sql injection problem?

igor

unread,
Nov 29, 2015, 11:55:28 PM11/29/15
to ActiveJDBC Group
Hi, there. Somehow the images broke, but I restored the content without images - take a look 
Reply all
Reply to author
Forward
0 new messages