File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes EJB and other Java EE Technologies and the fly likes Java EE 6 Cookbook -  Question on SQL Injection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Java EE 6 Cookbook -  Question on SQL Injection" Watch "Java EE 6 Cookbook -  Question on SQL Injection" New topic

Java EE 6 Cookbook - Question on SQL Injection

Arshad Noor
Ranch Hand

Joined: Oct 06, 2011
Posts: 34
I attended an OWASP presentation yesterday in Silicon Valley, and was dumb-founded to learn that SQL Injection is still the #1 problem for web-applications in 2012. Not sure how many years it has been since OWASP put this on its list of Top 10 vulnerabilities - I definitely recall reading about it in 2005 - but hearing that this is still the #1 problem, is simply incredible.

The Java Enterprise Edition, IMO, has the optimal architecture to permanently eliminate this problem: the web-form talks to the servlet, the servlet hands over the form-data to a stateless session-bean, which, based on the parameters it parses and validates, calls the appropriate entity-bean to execute the OQL query and hand the results back to the SLSB. Even if the attacker was clever enough to get past the data-validation in the SLSB, what can an attacker do with SQL embedded inside an OQL parameter?

Does the book recommend ways to eliminate this problem once and for all? Even if business executives are idiots who do not provide sufficient time/resources to get the job done right, I would imagine books and experts should have spread enough information by now, to make a SQL Injection vulnerability a career stigma for any programmer. TIA.
Mick Knutson
Ranch Hand

Joined: Jul 10, 2007
Posts: 37
I did not have room to add several recipes I had on prevention.
But I also was surprised at first about how SQL attacks are #1.

One report I found was that not only are hackers stealing data or gaining access to a system through sql injection, some people just want to destroy a system such as mass deletion of records which will bring your application down.

There are several tools that can you can run against your own application to test for vulnerabilities.

... Mick Knutson - [Java EE6 Cookbook for securing, tuning, and extending enterprise applications (PACKT)] - [Java EE6 Cookbook (PACKT) (on Amazon)]
I agree. Here's the link:
subject: Java EE 6 Cookbook - Question on SQL Injection
It's not a secret anymore!