Adobe Experience Manager Sites & More

Report · 10/15/15

Hi ,

To avoid SQL injection prepared statement is required to access the jcr ?

It seems jcr api doesn't have prepared statement ?

If it is how the SQL injection will be avoided in CQ5?

Thanks in advance

Jörg_Hoh · 10/15/15

Do not confuse JCR SQL with ANSI SQL (of the database world). JCR SQL allows only to read data, but not to insert, update or delete data. Please consult the JCR 2.0 Specification [1] if you have more questions on that.

So basically there is no need to use prepared statements.

kind regards,

Jörg

[1] http://www.day.com/day/en/products/jcr/jsr-283.html

View solution in original post

Jörg_Hoh · 10/15/15

Do not confuse JCR SQL with ANSI SQL (of the database world). JCR SQL allows only to read data, but not to insert, update or delete data. Please consult the JCR 2.0 Specification [1] if you have more questions on that.

So basically there is no need to use prepared statements.

kind regards,

Jörg

[1] http://www.day.com/day/en/products/jcr/jsr-283.html

Report · 10/15/15

Thanks

But in SELECT query also SQL injection is possible right?

Correct me if am wrong?

Jörg_Hoh · 10/15/15

Hi,

technically yes, if you don't check your parameters, you can insert unwanted values into your query. But then the effect is always limited, because before the result is delivered to you, every item is checked against the ACLs, so no you cannot get data you are not allowed to read.

If you need more detailled answers (or for some reasons official answers), please raise a Daycare ticket.

Jörg