Group items tagged

To prevent SQL injection:

All queries should be

should be

String concatenation

to create dynamic SQL

Parameterized Queries

Prepared Statements

automatically be escaped by the JDBC driver

userId = ?

PreparedStatement

setString

Dynamic Queries via String Concatenation

never construct SQL statements using string concatenation of unchecked input values

dynamic queries via the java.sql.Statement class leads to SQL Injection

a) stop writing dynamic queries

b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)

Option #3: Escaping all User Supplied Input

Additional Defenses:

Perform: White List Input Validation

Primary Defenses

Defense Option 1: Prepared Statements (Parameterized Queries)

attacker is not able to

of a query, even if SQL commands are inserted by an attacker

allows the database to

distinguish

between

Defense Option 3: Escaping All User Supplied Input

allows additional behavior to be added to an existing class by wrapping the original class and duplicating its interface and then delegating to the original

AOP proxy is like a dynamic decorator

maintain an accurate listing of properties in an org

Tutorials All Tutorials UML Tutorials UML 2.1 Tutorial UML Tutorial - Part 1 Intro UML Tutorial - Part 2 Intro The Business Process Model The Component Model The Dynamic Model The Logical Model The Physical Model The Use Case Model UML Database Modeling Enterprise Architect Tutorials Creating Strategic Models Diagram Filters BPEL: Step by Step Guide Resource Management Testing Management Traceability RTF Documentation Use Case Metrics Structured Use Case Scenarios

Video Demonstrations All Videos Getting Started Requirements Management Modeling & Productivity Tools Code Engineering and the Debug Workbench Version Control Integration (Eclipse, Visual Studio, TFS)

UML Tutorial - Structure UML Tutorial - Behavior The Business Process Model Deployment of EA MDA Overview Rich-Text (RTF) Reporting Version Control Integration Requirements Management

White Papers & E-Books

Roles Business Analyst Database Administrator Deployment & Rollout Developer Project Manager Software Architects Software Engineer Technology Developer Testers

Solutions

MDG Technologies MDG Technologies EJB Technology.xml Testing Technology.xml

UML Profiles & Patterns UML Patterns UML Patterns Create UML Patterns Import UML Patterns Use UML Patterns UML Profiles UML Profiles: Introduction UML Profile for SPEM XML Schema (XSD) Generation Web Modeling Profile Eriksson-Penker Business Extensions Open Distributed Processing (UML4ODP)

for GraniteDS users keeping their Java domain model and ActionScript3 domain model in sync via Gas3, the constraints are kept in sync

a couple of gotchas to be aware of

the constraint implementation is in the same class as the constraint declaration (not a problem in a dynamic language) @Pattern has a sightly different semantic because the regexp engine in Flex is a bit different. instead of the features provided by ConstraintValidatorContext, you can define a properties attribute in your constraints to make it belong to several sub-properties. not as flexible but good enough in many cases.

SQL injection errors occur when:

Data enters a program from an

The data used to

consequences are:

Confidentiality:

sensitive data

Authentication

user names and passwords

Authorization

change this information

Integrity

read sensitive information

changes or even delete this information