Re: rewriteBatchedStatements / SQL injection
Posted by: Mark Matthews
Date: March 06, 2018 01:31PM

Hi,

Specifically, it's using the method Statement.addBatch(String).

Because that takes SQL that may be unsanitized by your application *and* to make it batch, the driver enables multi-statement behavior with the server, which simply lets it send sql; sql;sql (each statement separated by ';') - it is vulnerable to SQL Injection when the SQL passed by Statement.addBatch() hasn't been sanitized against SQL Injection.

With PreparedStatements - it's the parameters that are batched, not the SQL, and they are automatically sanitized.

- Mark

Mark Matthews
Consulting Member Technical Staff - MySQL Enterprise Tools
Oracle
http://www.mysql.com/products/enterprise/monitor.html

Options: ReplyQuote


Subject
Written By
Posted
Re: rewriteBatchedStatements / SQL injection
March 06, 2018 01:31PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.