Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SQL Injection Attack and JDBC

 
Sarath Mohan
Ranch Hand
Posts: 213
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (�) to the parameters, it is possible to cause a second query to be executed with the first.
"

We use Statement and Prepared Statement a lot in out web based and independent applictions.
Statements
==========
Here I feel there is a possiblity of SQL Query can be Injected by an attacker so that he can either make the dbms to disclose the confidential data or even delete the records.
Suppose we have a query String query= "SELECT * from employee"; which is some how accessible thru a JSP page.
An intellegent Attacker can modify the query like "SELECT * from employee; Delete * from employee";
This is the one of the major issues faced by web sited developed in ASP.
I heard if you use PreparedStatement we could work around the problem.
Does anybody face the problem like this.. Do we have safe mechanism in java if we have to use Statement?
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Suppose we have a query String query= "SELECT * from employee"; which is some how accessible thru a JSP page.

How?
 
Sainudheen Mydeen
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmmm.... I am confused . When you call a JSP, container calls the corresponding page implementation class. Injection can be done at which place? Can somebody explain?
-------------------
Sainudheen
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
 
Sainudheen Mydeen
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Pradeep
This is the one of the major issues faced by web sited developed in ASP.

Can SQL-injection be done with JSP?
---------------
Sainudheen
 
Thomas Paul
mister krabs
Ranch Hand
Posts: 13974
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Sainudheen Mydeen:
Can SQL-injection be done with JSP?
If you write a poorly configured application, sure. Do you give admin access to your web account? Do you allow quotes in user ids or passwords? Prepared statements or stored procedures would make you less vulnerable.
 
Jamie Robertson
Ranch Hand
Posts: 1879
MySQL Database Suse
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
couldn't you just take the SQL and database access out of the JSP into its own servlet?
seems like you are exposing a lot of information by hard coding everything into the JSP's!
 
Lu Battist
Ranch Hand
Posts: 104
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you accept user generated sql, then yes you can have serious problems.
You can try to eliminate the real dangerous ones by making sure the connection that executes these only has read (select) permission on the underlying database. Its better to not let the user input any direct sql. And if you send sql via the url like this (http://someurl?sql="select ...") its just as bad. Follow the recommended practice of putting sql in servlets and just using jsps to display information.
Another thing, not specific to sql, is to always parse user input fields, especially if they will be saved and redisplayed later. Failure to do so could allow someone to deface your web site in a variety of ways. One example, a text field where the user enters, <script>Alert("hello!");</script>. Depending on how you redisplay this field, it could very well execute the javascript and cause a popup message. Other things to watchout for are "<!--" or ">"
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic