Re: JDBC: getMoreResults() versus rs.next() & autoGeneratedKeys
On 5/12/2014 12:29 PM, Marcel M?ller wrote:
On 12.05.14 04.10, Arne Vajh?j wrote:
Allowing multiple SQL statements in a single execute can make
SQL injection much worse.
I would consider it a security flaw.
I do not agree.
Code that passes user input as part of SQL code to a database is broken
by design, not the database driver that can execute more than one
statement.
If SQL injection happens then there is certainly a bug in
the application code.
But good software design does not assume that all other code
is implemented correctly.
So you:
* configure mod_security in Apache to check for injection attempts
* validate input in PL
* store data in strongly typed objects in BLL
* use prepared statements in DAL
* use a JDBC driver that does not allow multiple statements to be
executed in one call
* configure database security of that the connections has minimal priviliges
To defend against SQL injections in depth.
And on the other side there could be good reasons execute multiple
statements as a block. Preferably performance issues.
For INSERT/UPDATE/DELETE you can do it safely in JDBC via batch.
If the same functionality was needed for SELECT then add SELECT support
in batch would be safer than allowing multiple statements in one call.
Arne