• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Java EE 6 Cookbook - Question on SQL Injection

 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I attended an OWASP presentation yesterday in Silicon Valley, and was dumb-founded to learn that SQL Injection is still the #1 problem for web-applications in 2012. Not sure how many years it has been since OWASP put this on its list of Top 10 vulnerabilities - I definitely recall reading about it in 2005 - but hearing that this is still the #1 problem, is simply incredible.

The Java Enterprise Edition, IMO, has the optimal architecture to permanently eliminate this problem: the web-form talks to the servlet, the servlet hands over the form-data to a stateless session-bean, which, based on the parameters it parses and validates, calls the appropriate entity-bean to execute the OQL query and hand the results back to the SLSB. Even if the attacker was clever enough to get past the data-validation in the SLSB, what can an attacker do with SQL embedded inside an OQL parameter?

Does the book recommend ways to eliminate this problem once and for all? Even if business executives are idiots who do not provide sufficient time/resources to get the job done right, I would imagine books and experts should have spread enough information by now, to make a SQL Injection vulnerability a career stigma for any programmer. TIA.
 
author
Posts: 37
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I did not have room to add several recipes I had on prevention.
But I also was surprised at first about how SQL attacks are #1.

One report I found was that not only are hackers stealing data or gaining access to a system through sql injection, some people just want to destroy a system such as mass deletion of records which will bring your application down.
Scary!

There are several tools that can you can run against your own application to test for vulnerabilities.
Sqlmap
Skipfish
Wikto
Webslayer
 
reply
    Bookmark Topic Watch Topic
  • New Topic