Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Antonio Petrelli
f the following link: > http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf > > Thx. > > Mike > > > --- On Thu, 11/15/07, Antonio Petrelli <[EMAIL PROTECTED]> wrote: > > > From: Antonio Petrelli <[EMAIL PROTECTED]> > > Subject: Re: Struts Val

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Roberto Nunnari
), then you're not covered. But if you use the placeholder and HQL or the Criteria APIs, then you're covered. Mike --- On Thu, 11/15/07, Gary Affonso <[EMAIL PROTECTED]> wrote: From: Gary Affonso <[EMAIL PROTECTED]> Subject: Re: Struts Validator to Prevent SQL Injection Att

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Antonio Petrelli
2007/11/15, Mike Duffy <[EMAIL PROTECTED]>: > No matter where this is done, the basic problem is we have single quotes, > double quotes, ampersands, semicolons, and parenthesis in our data. This may be off topic, but does not is suffice to use prepared statement and parameters to avoid such attac

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Antonio Petrelli
2007/11/15, Mike Duffy <[EMAIL PROTECTED]>: > Prepared statements if created correctly will work, but if your statements > are created dynamically with text strings as the values instead of "?" > placeholders problems can occur. I wonder why do you create query strings this way: you can always c

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Mike Duffy
: Struts Validator to Prevent SQL Injection Attacks > To: "Struts Users Mailing List" > Cc: [EMAIL PROTECTED] > Date: Thursday, November 15, 2007, 11:13 AM > Dave Newton wrote: > > --- Mike Duffy <[EMAIL PROTECTED]> wrote: > >> Does anyone have a gre

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Mike Duffy
mp;start=0&postdays=0&postorder=asc And page 16 of the following link: http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf Thx. Mike --- On Thu, 11/15/07, Antonio Petrelli <[EMAIL PROTECTED]> wrote: > From: Antonio Petrelli <[EMAIL PROTECTED]>

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Mike Duffy
.). Has anyone created an elegant solution for this problem within the Struts framework? Mike --- On Thu, 11/15/07, Dave Newton <[EMAIL PROTECTED]> wrote: > From: Dave Newton <[EMAIL PROTECTED]> > Subject: Re: Struts Validator to Prevent SQL Injection Attacks > To: "

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Gary Affonso
Dave Newton wrote: --- Mike Duffy <[EMAIL PROTECTED]> wrote: Does anyone have a great solution for a validator that will prevent users from entering malicious SQL into form entry text fields? I'm not sure that belongs in a validator; unless you never need to allow the use of a single quote. It

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Martin Gainty
Mike- There are actually 2 situations to be mindful of (Not a salesman for these folks but acutenix had a very good tutorial) SQLInjection Solution might use a JS Validator.. but just in case JS validator passes it on the Server side to look for AND /OR funky conditional 1=1 comes to mind and re

Re: Struts Validator to Prevent SQL Injection Attacks

2007-11-15 Thread Dave Newton
--- Mike Duffy <[EMAIL PROTECTED]> wrote: > Does anyone have a great solution for a validator > that will prevent users from entering malicious SQL > into form entry text fields? I'm not sure that belongs in a validator; unless you never need to allow the use of a single quote. It is, hoever unlik