OFBiz OFBiz - Dev
Login  Register

Re: SQL Injection risks with entity API

Posted by BJ Freeman on Jul 07, 2006; 8:30pm
URL: http://ofbiz.116.s1.nabble.com/SQL-Injection-risks-with-entity-API-tp169530p169533.html

In my configurations, each SQL Database has its own login that is unique.
With out that login no other user can access the SQL database.

are you saying that ofbiz may create these attacks? if so how?

Leon Torres sent the following on 7/7/2006 12:00 PM:

> How robust is the entity engine API against sql injection attacks?  
> Consider the following scenario:
>
> // get the field to order by from the request parameters
> orderByField = parameters.get("orderByField");
> if (orderByField == null || orderByField.trim().length() == 0) {
>   orderByFeild = "partyId"; // default
> }
>
> ...
>
> parties = delegator.findByAnd("Party", conditions,
> UtilMisc.toList(orderByField)); // order by this field
>
>
> What happens if the user tries to inject SQL into the orderByField
> parameter? Is there a risk?  Should I be protecting myself by validating
> the orderByField parameter or does ofbiz/JDBC already do this?
>
> - Leon
>
Free forum by Nabble Edit this page