Re: rewriteBatchedStatements / SQL injection
Hi,
Specifically, it's using the method Statement.addBatch(String).
Because that takes SQL that may be unsanitized by your application *and* to make it batch, the driver enables multi-statement behavior with the server, which simply lets it send sql; sql;sql (each statement separated by ';') - it is vulnerable to SQL Injection when the SQL passed by Statement.addBatch() hasn't been sanitized against SQL Injection.
With PreparedStatements - it's the parameters that are batched, not the SQL, and they are automatically sanitized.
- Mark
Mark Matthews
Consulting Member Technical Staff - MySQL Enterprise Tools
Oracle
http://www.mysql.com/products/enterprise/monitor.html
Subject
Written By
Posted
Re: rewriteBatchedStatements / SQL injection
March 06, 2018 01:31PM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.