MySQL's JDBC connector has a security feature called allowMultiQueries, which defaults to false. When turned off, it prevents using a useful, but potentially dangerous feature in MySQL via JDBC: try (Statement s = connection.createStatement()) { try { s.execute("create table t (i int);"); // This doesn't work, by default: s.executeUpdate(""" insert into t values (1); insert … Continue reading MySQL’s allowMultiQueries flag with JDBC and jOOQ
Tag: SQL injection
Never Concatenate Strings With jOOQ
jOOQ supports a vast amount of SQL syntax out of the box. As such, most users will not think of resorting to string concatenation like in the old days when writing dynamic SQL with JDBC. But every now and then, a vendor specific feature is not supported by jOOQ (yes, it happens). In that case, … Continue reading Never Concatenate Strings With jOOQ
Do not GRANT ALL PRIVILEGES to your Production Users
Thanks to the generous contributions of Timur Shaidullin, jOOQ 3.11 will now support GRANT and REVOKE statements through #6812. While implementing integration tests for these new features, I had researched the different ways how these statements work on a variety of databases, and the good news is, they're all mostly quite standardised (in fact, they're … Continue reading Do not GRANT ALL PRIVILEGES to your Production Users
Prevent SQL Injection with SQL Builders Like jOOQ
As long as we allow ourselves to write string-based dynamic SQL embedded in other programming languages like Java, we will have a certain risk of being vulnerable to SQL injection. That's a fact. Don't believe it? Check out this website exposing all vulnerabilities on Stack Overflow for PHP questions: https://laurent22.github.io/so-injections In a previous blog post, … Continue reading Prevent SQL Injection with SQL Builders Like jOOQ
JSR-308 and the Checker Framework Add Even More Typesafety to jOOQ 3.9
Java 8 introduced JSR-308, which added new annotation capabilities to the Java language. Most importantly: Type annotations. It is now possible to design monsters like the below: https://twitter.com/lukaseder/status/711612663202238464 The code displayed in that tweet really compiles. Every type can be annotated now, in order to enhance the type system in any custom way. Why, you … Continue reading JSR-308 and the Checker Framework Add Even More Typesafety to jOOQ 3.9
Using SQL Injection Vulnerabilities to Dump Your Database
The threat caused by SQL injection is heavily underestimated even by many senior developers and software architects. Most people are unaware of the fact that an entire server can be at risk by a single vulnerability even in the remotest piece of logic. This article will give a frightening insight into the potential severity of … Continue reading Using SQL Injection Vulnerabilities to Dump Your Database
Hilarious Rant about SQL Injection
My recent article about SQL injection has stirred some serious emotions on JCG. I don't want to keep it from you! An extract: [...] The idea that if I use an ORM, my SQL injection woes will magically go away is f***ing harmful, shortsighted, and anybody who thinks that should be kicked squarely in a sensitive … Continue reading Hilarious Rant about SQL Injection
Database Abstraction and SQL Injection
I have subscribed to various user groups of jOOQ's competing database abstraction tools. One of which is ActiveJDBC, a Java implementation of Active Record design pattern. Its maintainer Igor Polevoy recently claimed that: SQL injection is a web application problem, and not directly related to an ORM. ActiveJDBC will process any SQL that is passed to it. … Continue reading Database Abstraction and SQL Injection