On Jan 17, 2008 1:17 PM, Oliver Heger <[EMAIL PROTECTED]> wrote: > Henri Yandell schrieb: > > > Should the DatabaseConfiguration class be responsible for protecting > > against SQL Injection, or should we make sure the javadoc states that > > it offers no protection and leave that up to the user? > > > > Hen > > > > Adding a note about this topic to the documentation would certainly do > no harm. > > From a short look at the code I think that chances for SQL Injection on > a correctly initialized DatabaseConfiguration (i.e. the settings for the > database table are valid) are pretty small: Everywhere > PreparedStatements are used.
Fortify was flagging for all the places where prepared statements are built from strings with variables in them - ie) columnName etc. I think this is a case of the SQL Injection worry being outside the scope of the library. For example; no one is concerned that java.sql has SQL Injection issues. +1 to the javadoc. Hen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
