Security – Java, SQL and jOOQ.

MySQL’s allowMultiQueries flag with JDBC and jOOQ

Posted on August 23, 2021August 26, 2021 by lukaseder

MySQL's JDBC connector has a security feature called allowMultiQueries, which defaults to false. When turned off, it prevents using a useful, but potentially dangerous feature in MySQL via JDBC: try (Statement s = connection.createStatement()) { try { s.execute("create table t (i int);"); // This doesn't work, by default: s.executeUpdate(""" insert into t values (1); insert … Continue reading MySQL’s allowMultiQueries flag with JDBC and jOOQ →

Do not GRANT ALL PRIVILEGES to your Production Users

Posted on December 22, 2017 by lukaseder

Thanks to the generous contributions of Timur Shaidullin, jOOQ 3.11 will now support GRANT and REVOKE statements through #6812. While implementing integration tests for these new features, I had researched the different ways how these statements work on a variety of databases, and the good news is, they're all mostly quite standardised (in fact, they're … Continue reading Do not GRANT ALL PRIVILEGES to your Production Users →

Prevent SQL Injection with SQL Builders Like jOOQ

Posted on December 5, 2016December 4, 2016 by lukaseder

As long as we allow ourselves to write string-based dynamic SQL embedded in other programming languages like Java, we will have a certain risk of being vulnerable to SQL injection. That's a fact. Don't believe it? Check out this website exposing all vulnerabilities on Stack Overflow for PHP questions: https://laurent22.github.io/so-injections In a previous blog post, … Continue reading Prevent SQL Injection with SQL Builders Like jOOQ →

Using jOOQ’s ExecuteListener to Prevent Write Operations on a Connection

Posted on April 12, 2016April 11, 2016 by lukaseder

Security is important, especially on the data access layer. Most commercial databasese allow for fine-grained privilege control using database access grants. For instance, you would be restricting access from a user to a certain set of tables (or even better: views), via GRANT statements: GRANT SELECT ON table TO user; With this fine-grained access control, … Continue reading Using jOOQ’s ExecuteListener to Prevent Write Operations on a Connection →

Using SQL Injection Vulnerabilities to Dump Your Database

Posted on November 5, 2013April 7, 2017 by lukaseder

The threat caused by SQL injection is heavily underestimated even by many senior developers and software architects. Most people are unaware of the fact that an entire server can be at risk by a single vulnerability even in the remotest piece of logic. This article will give a frightening insight into the potential severity of … Continue reading Using SQL Injection Vulnerabilities to Dump Your Database →

Tag: Security

MySQL’s allowMultiQueries flag with JDBC and jOOQ

Like this:

Do not GRANT ALL PRIVILEGES to your Production Users

Like this:

Prevent SQL Injection with SQL Builders Like jOOQ

Like this:

Using jOOQ’s ExecuteListener to Prevent Write Operations on a Connection

Like this:

Using SQL Injection Vulnerabilities to Dump Your Database

Like this: