• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Toplink

 
Betsy Camel
Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

We have a web application that uses Toplink. Recently we found sql injection issues in the application. When i searched the web i found that there is no details on how this can be avoided in toplink. Can anyone help me in solving this issue. I basically want to avoid this and would like to know if there are any configurations that need to be done. Else what are the other ways to prevent this.
Thanks
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not very familiar with Toplink (I last used it 8 years ago) but doesn't it support bind variables?
 
Betsy Camel
Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Could you please give me some good links on that. I am unable to get hold of any good links that gives information on how a sql injection can be prevented in toplink.
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There appears to be a configuration parameter "should-bind-all-parameters" you can use to force Toplink to bind variables. Check the docs.
 
James Sutherland
Ranch Hand
Posts: 553
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
TopLink should not have any SQL injection issue. Unless you are executing your own SQL that you dynamically built with user input.

TopLink has always support bind parameters, and as of 10.1.3 used them by default.
Even without bind parameters TopLink always double quotes parameters, so any SQL injection should not be possible.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic