java-sql-generator icon indicating copy to clipboard operation
java-sql-generator copied to clipboard

Published 20 hours ago verified publisher icon stazz

Make SQL-Generator resistant to SQL injections

Open stazz opened this issue 13 years ago • 4 comments

Make the strings produced by java-sql-generator take into account the possiblity for SQL injection.

stazz avatar Sep 09 '11 18:09 stazz

Although, developers should be strongly adviced to use ? as a placeholder for variables, in conjunction to java.sql.PreparedStatement -objects. Hence this should be a low-priority issue.

stazz avatar Sep 09 '11 18:09 stazz

Actually, this has more to do with situation where things like column names etc are taken from the user input. Therefore, all string parameters of all factory methods in SQL Generator should be sanitized.

stazz avatar Sep 19 '12 12:09 stazz

Couldn't theses be PreparedStatements parameters too?

eskatos avatar Sep 24 '12 15:09 eskatos

Well yes, but I meant the cases when you get user input for eg. your column names in table definition. Can't use prepared statement parameters there, IIRC. I might be wrong, but there are cases where you can't use prepared statements or PS parameters.

stazz avatar Sep 26 '12 22:09 stazz