[WEB SECURITY] Known Safe JDBC Drivers

planetlevel planetlevel at gmail.com
Wed Nov 25 15:00:48 EST 2009 

This isn't true. ESAPI absolutely does recommend that people use
PreparedStatement as the first and best option (it's all over the javadoc
and the swingset sample app).

However, ESAPI does provide database codecs because there are many
situations when remediation is more easily done with an escaping method.
There are also certain types of queries for which using PreparedStatement
will cause significant performance problems (so be careful with those
recommendations folks). Also, in some environments parameterized queries may
not be available, so an escaping option is important.

I looked into this pretty deeply back in 2002/2003 (
http://lists.virus.org/webappsec-0301/msg00003.html). The upshot is that the
JDBC spec doesn't explicitly require that PreparedStatement prevents
injection, so there's certainly some risk in relying exclusively on
them. That's why input validation, escaping, and access reference maps are
important security controls. And of course there are degenerate cases like
PreparedStatement.executeQuery( "exec ?" );

I looked into the MySQL driver back then and decided that it wasn't
obviously vulnerable.  I even took a swing at reversing the Oracle JDBC
drivers, but I didn't get far enough to give anyone any confidence.  This is
exactly the lack of visibility that makes it so difficult to make progress
in application security.

--Jeff

On Wed, Nov 25, 2009 at 11:32 AM, Rohit Sethi <rklists at gmail.com> wrote:

> Common advice in the Java world is to use properly bound variables in
> PreparedStatements to protect against SQL Injection. Many people have
> talked about the fact that the protection provided by
> PreparedStatements is really dependent on how the JDBC drivers are
> coded.
>
> ESAPI takes the approach to not rely on JDBC drivers and instead
> provides its own encoding codecs for MySQL and Oracle. For other
> databases,however, many people rely on the JDBC drivers.
>
> My question is: does anyone know of a study, list or project that
> discusses which JDBC drivers are known to protect against SQL
> Injection (in properly bound variables in prepared statements)?
> Essentially I'm looking for a whitelist of JDBC drivers that, if used
> properly, a developer can feel confident that they're not vulnerable
> to SQL Injection.
>
> Thanks,
>
> --
> Rohit Sethi
> Security Compass
> http://www.securitycompass.com
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>


-- 

--pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20091125/95d98a69/attachment.html>

More information about the websecurity mailing list