vijay jamadade

I understand. Your doubt is valid Tim. Achieving 100% security is difficult. Queries that I am trying to secure are DDL queries like create revoke which cant use bind parameters.

thanks Tim.

In oracle there is package dbms_assert which has methods like 'sql_object_name' which checks whether input is valid or not like below,

select DBMS_ASSERT.sql_object_name ('V$VERSION') from dual;

if i pass a query as input, it gives exception. Oracle says this is to avoid sql injection but i am not finding anybody using it for java code. I mean using it through jdbc connectivity. Any idea?

One more thing, we cant use preparedstatment here now so are we sure its gonna securely check input like 'V$VERSION' ?

Hey Ranchers,

Hi after a long time !!!

I have create user operation done through my application for oracle database. I use below query,

CREATE user "V3 -- select test from dual" identified by test ;

Here username to be created i pass in double quotes. I am trying to check/confirm whether use of "" for user is avoiding any sql injection. Executing above created user named - V3 -- select test from dual

Based on this can i say in oracle we are safe for SQL injection if input to create, revoke command is passed enclosing quotes.

Thanks in advance for your views.

Thanks Tim.

but when i try to access normal GIT file which is accessible without authentication can be downloaded. Problem here is authentication might not getting applied. And its not throwing authentication related error. Other files in other repositories like https://jcenter.bintray.com/ are getting downloaded. So I think there is no issue with connection. But whatever i am trying, Is it possible? I am not getting any samples on internet. There is very limited information.

Hi Ranchers,

I have a requirement where i want to download jar files required for my build from one of our GIT repository which needs authentication. I am using below in my build.xml,

///
<target name="vijay" unless="ivy.installed">
<mkdir dir="${ivy.home}"/>
<get src="https://github.com/abc/module/raw/lib/apache-ant-1.7.0/ant.jar" dest="${ivy.home}/h.jar"/>
</target>
///
to download above jar. But i am getting below exception,
[get] Error opening connection java.io.FileNotFoundException:
///

Is this due to thing that my github repository needs authentication? Can I achieve this thing of downloading some jars build time from github?

I agree Junilu. I think i will raise this issue for analysis and changes in design and it will take lot of time for resolution. Many people use this thing.

Based on name of this class, people have wrote customized solutions in our application. we have around 200 clients which uses our product and customize things using different scripts where they create instance of this class and access functions which are exposed to them. This class itself implements an interface in upper layer in our product. These customized scripts get interpreted using bean shell library. so scripts can be in any language which are understood by bean shell implementation. Thats why i said i cant change this class and i have to live with it.  

Thank you Junilu and Stephan.

You got it correct Junilu. But I cant change this class to interface. Now what i am planning to do is create 2 service classes.

Class A {  AddService service; A( String str){  if(str.equals("one")){   this.service = new Service_one();  else   this.service = new Service_two(); } public int add(){ service.add(); } } } ================= class Service_one(){  public int add(){ } } =============== class Service_two(){  public int add(){ }


What do you think about this approach?

One more thing is client only know about class-A. They have written own implementations using class-A. So i want to redirect them to new implementation based on some condition or flag that will be passed by them to class-A constructor.

okay my mistake. I haven't wrote that in code but class-A implements an interface. This class-A was providing some functionality to clients using methods like add(). Now I have 2 clients, one wants to use implementation in class-A and other wants implementation of class-B method like add(). Untouched i meant i want to deprecate class-A's add() method in future. thats why i dont want changes in that for mixed behavior which will result in complications while deprecating it. New clients for class-A will should use class-B's add() method based on some flag or value like i passed in constructor using below code.  

A( String str){       if(str.equals("one")) {       [b] this = instance of class B[/b]        }          }

Is it possible? like can i cast an object to subclass object so that it will start referring methods of class B.

Hi All,

I have an existing java class which is having some functions implemented based on interface. Now I want to add new class which will have same functions and will get instantiated within constructor of my original class. So consider below example,

Class A{     A( String str){       if(str.equals("one")) {        this = instance of class B        }          }     public int add(){     } } ============== Class B extends A{         public int add(){     } } =============== Class Client {      A obj = new A("one");      obj.add();   }

So if client class calls add() method, it should be Add() from class B. Limitation i have with my code is i can make changes in class A only. This is needed for backward compatibility where i want Class A to be untouched. This is because this class A gets instantiated through various scripts and method like Add() are used.

Thank you in advance. I hope my question is clear.

yes whole idea behind my application is doing administrative tasks.

hi,

I have a query for revoke which i execute using java class on db2 database.
//
REVOKE ROLE 'xyz' FROM USER 'john' BY ALL
//
In java i pass values for xyz and john through variables which can be attacked using sql injection. I cant use prepared statement here as this is DCL statement. I can't also use stored procedure to avoid this due to our application restrictions.

Is there any way to prevent/fix this injection?

Is it open for india as well?