This week's book giveaway is in the Java in General forum.
We're giving away four copies of Event Streams in Action and have Alexander Dean & Valentin Crettaz on-line!
See this thread for details.
Win a copy of Event Streams in Action this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

sql injection for dcl statement

 
Ranch Hand
Posts: 258
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,

I have a query for revoke which i execute using java class on db2 database.
//
REVOKE ROLE 'xyz' FROM USER 'john' BY ALL
//
In java i pass values for xyz and john through variables which can be attacked using sql injection. I cant use prepared statement here as this is DCL statement. I can't also use stored procedure to avoid this due to our application restrictions.

Is there any way to prevent/fix this injection?
 
Sheriff
Posts: 4648
300
IntelliJ IDE Clojure Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You mean to say you have a public facing application that performs user administration tasks on your database? That doesn't sound to me like a very good idea at all.
 
vijay jamadade
Ranch Hand
Posts: 258
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes whole idea behind my application is doing administrative tasks.
 
Saloon Keeper
Posts: 10415
223
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So, assuming that whoever has access to your application also has administrative privileges, isn't it pointless to protect again SQL injection, since the admin can more easily break the system through other means?
 
Why fit in when you were born to stand out? - Seuss. Tiny ad:
Java Code Review and Psychology
https://coderanch.com/t/714798/java/Java-Code-Review-Psychology
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!