A

Anonymous

Solved

Is prepared statement there to access the JCR like JDBC?

Forum|Forum|10 years ago
October 16, 2015
3 replies
1771 views

Hi ,

To avoid SQL injection prepared statement is required to access the jcr ?

It seems jcr api doesn't have prepared statement ?

If it is how the SQL injection will be avoided in CQ5?

Thanks in advance

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by joerghoh

Do not confuse JCR SQL with ANSI SQL (of the database world). JCR SQL allows only to read data, but not to insert, update or delete data. Please consult the JCR 2.0 Specification [1] if you have more questions on that.

So basically there is no need to use prepared statements.

kind regards,

Jörg

[1] http://www.day.com/day/en/products/jcr/jsr-283.html

joerghoh

Accepted solution

Adobe Employee

Do not confuse JCR SQL with ANSI SQL (of the database world). JCR SQL allows only to read data, but not to insert, update or delete data. Please consult the JCR 2.0 Specification [1] if you have more questions on that.

So basically there is no need to use prepared statements.

kind regards,

Jörg

[1] http://www.day.com/day/en/products/jcr/jsr-283.html

A

Anonymous

Thanks

But in SELECT query also SQL injection is possible right?

Correct me if am wrong?

joerghoh

Adobe Employee

Hi,

technically yes, if you don't check your parameters, you can insert unwanted values into your query. But then the effect is always limited, because before the result is delivered to you, every item is checked against the ACLs, so no you cannot get data you are not allowed to read.

If you need more detailled answers (or for some reasons official answers), please raise a Daycare ticket.

Jörg

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded