Two Laptop Bag*
The moose likes JDBC and the fly likes SQL Injection Attack and JDBC Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "SQL Injection Attack and JDBC" Watch "SQL Injection Attack and JDBC" New topic
Author

SQL Injection Attack and JDBC

Sarath Mohan
Ranch Hand

Joined: Mar 17, 2001
Posts: 213
"
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (�) to the parameters, it is possible to cause a second query to be executed with the first.
"

We use Statement and Prepared Statement a lot in out web based and independent applictions.
Statements
==========
Here I feel there is a possiblity of SQL Query can be Injected by an attacker so that he can either make the dbms to disclose the confidential data or even delete the records.
Suppose we have a query String query= "SELECT * from employee"; which is some how accessible thru a JSP page.
An intellegent Attacker can modify the query like "SELECT * from employee; Delete * from employee";
This is the one of the major issues faced by web sited developed in ASP.
I heard if you use PreparedStatement we could work around the problem.
Does anybody face the problem like this.. Do we have safe mechanism in java if we have to use Statement?


Sarath Mohan
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8904

Suppose we have a query String query= "SELECT * from employee"; which is some how accessible thru a JSP page.

How?


Groovy
Sainudheen Mydeen
Ranch Hand

Joined: Aug 18, 2003
Posts: 218
Hmmm.... I am confused . When you call a JSP, container calls the corresponding page implementation class. Injection can be done at which place? Can somebody explain?
-------------------
Sainudheen
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8904

http://www.sitepoint.com/print/794
Sainudheen Mydeen
Ranch Hand

Joined: Aug 18, 2003
Posts: 218
Thanks Pradeep
This is the one of the major issues faced by web sited developed in ASP.

Can SQL-injection be done with JSP?
---------------
Sainudheen
Thomas Paul
mister krabs
Ranch Hand

Joined: May 05, 2000
Posts: 13974
Originally posted by Sainudheen Mydeen:
Can SQL-injection be done with JSP?
If you write a poorly configured application, sure. Do you give admin access to your web account? Do you allow quotes in user ids or passwords? Prepared statements or stored procedures would make you less vulnerable.


Associate Instructor - Hofstra University
Amazon Top 750 reviewer - Blog - Unresolved References - Book Review Blog
Jamie Robertson
Ranch Hand

Joined: Jul 09, 2001
Posts: 1879

couldn't you just take the SQL and database access out of the JSP into its own servlet?
seems like you are exposing a lot of information by hard coding everything into the JSP's!
Lu Battist
Ranch Hand

Joined: Feb 17, 2003
Posts: 104
If you accept user generated sql, then yes you can have serious problems.
You can try to eliminate the real dangerous ones by making sure the connection that executes these only has read (select) permission on the underlying database. Its better to not let the user input any direct sql. And if you send sql via the url like this (http://someurl?sql="select ...") its just as bad. Follow the recommended practice of putting sql in servlets and just using jsps to display information.
Another thing, not specific to sql, is to always parse user input fields, especially if they will be saved and redisplayed later. Failure to do so could allow someone to deface your web site in a variety of ways. One example, a text field where the user enters, <script>Alert("hello!");</script>. Depending on how you redisplay this field, it could very well execute the javascript and cause a popup message. Other things to watchout for are "<!--" or ">"
 
Consider Paul's rocket mass heater.
 
subject: SQL Injection Attack and JDBC
 
Similar Threads
SQL Injection attack with Oracle 10g
PreparedStatement or Statement
Mapping servlet links with session bound random values
SQL injection?
PreparedStatement v/s Statement