Enthuware

Hi there,

there is a link in the explanation to the first option:

https://community.oracle.com/blogs/caro ... tion-flaws

-> Page Not Found

Kind regards

PS: What is the proper way to inform about typos and such things?

Updated to https://dzone.com/articles/owasp-top-10-number-2
thank you for your feedback!

You may report them here, or by email or through whatsapp, whichever way is the most convenient for you.

The links are not working or need registration.
From my point of view the explanation:
"Since parameters values of the query are set using setter methods, it is not possible to manipulate the resulting query by specifying ill formatted values." is not correct. If you use setters it does not mean that you escaped the text.
The correct is:
"They protect against SQL injection, by escaping text for all the parameter values provided."
Or mix both.

Will update the link. thanks you for your feedback!

If you use PreparedStatement, you set the parameters using the setter methods. And that makes it impossible to manipulate the resulting query Because you don't send the query directly, the PreparedStatement sends the query. You only the set the parameters.
Now, whether it internally escapes and what all exactly does it escape is immaterial. Those are internal details.

How do you know it escapes? I could write a driver that doesn't escape but simply throws an exception upon encountering a single quote in the query! That would also prevent sql injection, wouldn't it?

So, your claim that they protect against SQL injection, by escaping text for all the parameter values provided, is actually technically wrong.

The JavaDoc API description for setString doesn't say anything about escaping either.

but you may use setters and do not implement escaping or throws exception. This mean that correct is: it gives ability to use setter method and implement escaping or throws exception or what ever you like. The explanation looks strange and does not explain the reason.