Jump to: navigation, search

Difference between revisions of "EclipseLink/FAQ/General"

(Is SQL generated by EclipseLink vulnerable to SQL injection attacks?)
(Is SQL generated by EclipseLink vulnerable to SQL injection attacks?)
Line 71: Line 71:
 
* prepared statements.  EclipseLink supports (and defaults to) binding all SQL parameters.  As the SQL is computed before the parameter is passed in, parameterized statements are an effective mechanism for preventing SQL injection (in most resources on preventing injection attacks, prepared statements is the number one recommended solution).   
 
* prepared statements.  EclipseLink supports (and defaults to) binding all SQL parameters.  As the SQL is computed before the parameter is passed in, parameterized statements are an effective mechanism for preventing SQL injection (in most resources on preventing injection attacks, prepared statements is the number one recommended solution).   
 
* escaping single quotes.  If the application chooses to have prepared statements turned off, EclipseLink parses parameters for ' and escapes them.  The escaping of the ' means that the resulting SQL will no longer pose a threat to the database (using the above example, the SQL would look something like this:  
 
* escaping single quotes.  If the application chooses to have prepared statements turned off, EclipseLink parses parameters for ' and escapes them.  The escaping of the ' means that the resulting SQL will no longer pose a threat to the database (using the above example, the SQL would look something like this:  
  SELECT * FROM users WHERE name = 'a`';DROP TABLE users;SELECT * from users where name = `'a';
+
  SELECT * FROM users WHERE name = `a``;DROP TABLE users;SELECT * from users where name = ``a`;
  
 
There does exist within EclipseLink a mechanism to allow application developers to query directly using native SQL instead of having EclipseLink generate SQL.  Applications executing raw SQL through EclipseLink must guard against SQL injection as they are bypassing the SQL injection defenses employed by EclipseLink .
 
There does exist within EclipseLink a mechanism to allow application developers to query directly using native SQL instead of having EclipseLink generate SQL.  Applications executing raw SQL through EclipseLink must guard against SQL injection as they are bypassing the SQL injection defenses employed by EclipseLink .

Revision as of 13:16, 30 September 2008

What is EclipseLink?

Eclipse Persistence Services Project (EclipseLink) is a comprehensive persistence framework delivering a set of persistence services based around leading standards with advanced extensions. Consumers can use EclipseLink within Java EE, SE, and soon OSGi/Equinox environments.

The original source contribution for EclipseLink came from Oracle Corporation's TopLink product.

See Introduction to EclipseLink in the EclipseLink User's Guide for more information.

How is EclipseLink Licensed?

The Eclipse Persistence Services (EclipseLink) project is being developed and distributed* under the Eclipse Public License and the Eclipse Distribution Licensed (BSD).

* The project is currently in its incubation phase so no formal releases are available. Just incubation milestone builds. For more information on the project's release plans please see the EclipseLink/RoadMap

When is the next release of EclipseLink planned?

At present the Eclipse Persistence Services (EclipseLink) project is an incubating project at Eclipse. It is producing monthly milestone as well as nightly builds which can be downloaded here. For more information on the release schedule please refer to the project summary page or the road map.

What is the relationship between EclipseLink and the Oracle TopLink product?

EclipseLink was initiated based on the contribution of Oracle TopLink (Oracle FAQ for TopLink contribution). the full persistence capabilities Oracle TopLink was contributed.

Going forward Oracle TopLink will include EclipseLink to deliver its persistence functionality.

What are the components of EclipseLink?

The EclipseLink project is broken down into several components based on persistence services provided as well an a structure to organize development and produce functional OSGi/Equinox bundles.

Where can I download EclipseLink?

At present EclipseLink can only be downloaded directly from the Eclipse project's website:

http://www.eclipse.org/eclipselink/downloads/index.php

How do I get started using EclipseLink?

Where can I find documentation on EclipseLink?

The complete EclipseLink User Guide is available on this wiki at EclipseLink/UserGuide.

If you encounter any problems using the User Guide please file a bug against the Documentation component.

Where can I find examples of how to use EclipseLink?

The EclipseLink development team continually works on providing a comprehensive set of examples and how-to's for each of its persistence services that will assist customers in the quick adoption of this project. The examples are hosted on this wiki here.

Can I use EclipseLink with Maven?

Yes, EclipseLink published a Maven repository so that developers can easily integrate the project's builds/milestones/releases into their Maven build process. Full instructions can be found on the EclipseLink/Maven page.

Is SQL generated by EclipseLink vulnerable to SQL injection attacks?

No, EclipseLink generated SQL is not vulnerable to SQL injection attacks. SQL injection attacks occur when parameters exposed to an end user are designed in such a way to execute potentially harmful SQL.

eg

"SELECT * FROM users WHERE name = '" + userName + "';" 

is vulnerable to an injection attack because passing in a user name of "a';DROP TABLE users;SELECT * from users where name = 'a"

Produces SQL like this:

"SELECT * FROM users WHERE name = 'a';DROP TABLE users;SELECT * from users where name = 'a';"

The SQL that is generated by EclipseLink prevents these types of attacks in two main ways.

  • prepared statements. EclipseLink supports (and defaults to) binding all SQL parameters. As the SQL is computed before the parameter is passed in, parameterized statements are an effective mechanism for preventing SQL injection (in most resources on preventing injection attacks, prepared statements is the number one recommended solution).
  • escaping single quotes. If the application chooses to have prepared statements turned off, EclipseLink parses parameters for ' and escapes them. The escaping of the ' means that the resulting SQL will no longer pose a threat to the database (using the above example, the SQL would look something like this:
SELECT * FROM users WHERE name = `a``;DROP TABLE users;SELECT * from users where name = ``a`;

There does exist within EclipseLink a mechanism to allow application developers to query directly using native SQL instead of having EclipseLink generate SQL.  Applications executing raw SQL through EclipseLink must guard against SQL injection as they are bypassing the SQL injection defenses employed by EclipseLink .

It should go without saying that it is never recommended to expose the native SQL to an application user, doing so would be similar to exposing JDBC API to an application user. At this point it is no longer an injection attack issue, and more about allowing end users the capability to run any SQL on your Database.