Hi ,
To avoid SQL injection prepared statement is required to access the jcr ?
It seems jcr api doesn't have prepared statement ?
If it is how the SQL injection will be avoided in CQ5?
Thanks in advance
Solved! Go to Solution.
Do not confuse JCR SQL with ANSI SQL (of the database world). JCR SQL allows only to read data, but not to insert, update or delete data. Please consult the JCR 2.0 Specification [1] if you have more questions on that.
So basically there is no need to use prepared statements.
kind regards,
Jörg
Do not confuse JCR SQL with ANSI SQL (of the database world). JCR SQL allows only to read data, but not to insert, update or delete data. Please consult the JCR 2.0 Specification [1] if you have more questions on that.
So basically there is no need to use prepared statements.
kind regards,
Jörg
Thanks
But in SELECT query also SQL injection is possible right?
Correct me if am wrong?
Views
Replies
Total Likes
Hi,
technically yes, if you don't check your parameters, you can insert unwanted values into your query. But then the effect is always limited, because before the result is delivered to you, every item is checked against the ACLs, so no you cannot get data you are not allowed to read.
If you need more detailled answers (or for some reasons official answers), please raise a Daycare ticket.
Jörg
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies