I attended an OWASP presentation yesterday in Silicon Valley, and was dumb-founded to learn that SQL Injection is still the #1 problem for web-applications in 2012. Not sure how many years it has been since OWASP put this on its list of Top 10 vulnerabilities - I definitely recall reading about it in 2005 - but hearing that this is still the #1 problem, is simply incredible.
The
Java Enterprise Edition, IMO, has the optimal architecture to permanently eliminate this problem: the web-form talks to the
servlet, the servlet hands over the form-data to a stateless session-bean, which, based on the parameters it parses and validates, calls the appropriate entity-bean to execute the OQL query and hand the results back to the SLSB. Even if the attacker was clever enough to get past the data-validation in the SLSB, what can an attacker do with SQL embedded inside an OQL parameter?
Does the book recommend ways to eliminate this problem once and for all? Even if business executives are idiots who do not provide sufficient time/resources to get the job done right, I would imagine books and experts should have spread enough information by now, to make a SQL Injection vulnerability a career stigma for any programmer. TIA.