Posted by Leon Torres-2 on Jul 07, 2006; 8:00pm
URL: http://ofbiz.116.s1.nabble.com/SQL-Injection-risks-with-entity-API-tp169530.html

How robust is the entity engine API against sql injection attacks?  Consider the
following scenario:

// get the field to order by from the request parameters
orderByField = parameters.get("orderByField");
if (orderByField == null || orderByField.trim().length() == 0) {
   orderByFeild = "partyId"; // default
}

...

parties = delegator.findByAnd("Party", conditions,
UtilMisc.toList(orderByField)); // order by this field


What happens if the user tries to inject SQL into the orderByField parameter?
Is there a risk?  Should I be protecting myself by validating the orderByField
parameter or does ofbiz/JDBC already do this?

- Leon