Hi there,
there is a link in the explanation to the first option:
https://community.oracle.com/blogs/caro ... tion-flaws
-> Page Not Found
Kind regards
PS: What is the proper way to inform about typos and such things?
About Question enthuware.ocpjp.v11.2.1354 :
Moderator: admin
-
- Posts: 7
- Joined: Wed Aug 12, 2020 4:44 am
- Contact:
-
- Site Admin
- Posts: 10078
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.ocpjp.v11.2.1354 :
Updated to https://dzone.com/articles/owasp-top-10-number-2
thank you for your feedback!
You may report them here, or by email or through whatsapp, whichever way is the most convenient for you.
thank you for your feedback!
You may report them here, or by email or through whatsapp, whichever way is the most convenient for you.
If you like our products and services, please help us by posting your review here.
-
- Posts: 34
- Joined: Mon Oct 30, 2023 11:55 am
- Contact:
Re: About Question enthuware.ocpjp.v11.2.1354 :
The links are not working or need registration.
From my point of view the explanation:
"Since parameters values of the query are set using setter methods, it is not possible to manipulate the resulting query by specifying ill formatted values." is not correct. If you use setters it does not mean that you escaped the text.
The correct is:
"They protect against SQL injection, by escaping text for all the parameter values provided."
Or mix both.
From my point of view the explanation:
"Since parameters values of the query are set using setter methods, it is not possible to manipulate the resulting query by specifying ill formatted values." is not correct. If you use setters it does not mean that you escaped the text.
The correct is:
"They protect against SQL injection, by escaping text for all the parameter values provided."
Or mix both.
-
- Site Admin
- Posts: 10078
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.ocpjp.v11.2.1354 :
Will update the link. thanks you for your feedback!
If you use PreparedStatement, you set the parameters using the setter methods. And that makes it impossible to manipulate the resulting query Because you don't send the query directly, the PreparedStatement sends the query. You only the set the parameters.
Now, whether it internally escapes and what all exactly does it escape is immaterial. Those are internal details.
How do you know it escapes? I could write a driver that doesn't escape but simply throws an exception upon encountering a single quote in the query! That would also prevent sql injection, wouldn't it?
So, your claim that they protect against SQL injection, by escaping text for all the parameter values provided, is actually technically wrong.
The JavaDoc API description for setString doesn't say anything about escaping either.
If you use PreparedStatement, you set the parameters using the setter methods. And that makes it impossible to manipulate the resulting query Because you don't send the query directly, the PreparedStatement sends the query. You only the set the parameters.
Now, whether it internally escapes and what all exactly does it escape is immaterial. Those are internal details.
How do you know it escapes? I could write a driver that doesn't escape but simply throws an exception upon encountering a single quote in the query! That would also prevent sql injection, wouldn't it?
So, your claim that they protect against SQL injection, by escaping text for all the parameter values provided, is actually technically wrong.
The JavaDoc API description for setString doesn't say anything about escaping either.
If you like our products and services, please help us by posting your review here.
-
- Posts: 34
- Joined: Mon Oct 30, 2023 11:55 am
- Contact:
Re: About Question enthuware.ocpjp.v11.2.1354 :
but you may use setters and do not implement escaping or throws exception. This mean that correct is: it gives ability to use setter method and implement escaping or throws exception or what ever you like. The explanation looks strange and does not explain the reason.
Who is online
Users browsing this forum: No registered users and 12 guests