Jump to: navigation, search

Difference between revisions of "EclipseLink/FAQ/General"

(Is SQL generated by EclipseLink vulnerable to SQL injection attacks?)
m (How do I get started using EclipseLink?)
(26 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
== What is EclipseLink? ==
 
== What is EclipseLink? ==
  
Eclipse Persistence Services Project (EclipseLink) is a comprehensive persistence framework delivering a set of persistence services based around leading standards with advanced extensions. Consumers can use EclipseLink within Java EE, SE, and soon OSGi/Equinox environments.  
+
Eclipse Persistence Services Project (EclipseLink) is a comprehensive persistence framework delivering a set of persistence services based around leading standards with advanced extensions. Consumers can use EclipseLink within Java EE, SE, and OSGi/Equinox environments.  
  
 
The original source contribution for EclipseLink came from [http://www.oracle.com/technology/products/ias/toplink/index.html Oracle Corporation's TopLink product].
 
The original source contribution for EclipseLink came from [http://www.oracle.com/technology/products/ias/toplink/index.html Oracle Corporation's TopLink product].
  
See [[Introduction to EclipseLink (ELUG)|Introduction to EclipseLink]] in the [[EclipseLink/UserGuide|EclipseLink User's Guide]] for more information.
+
See "Overview of EclipseLink" in ''[http://www.eclipse.org/eclipselink/documentation/ Understanding EclipseLink (Concepts Guide)]'' for more information.
  
 
== How is EclipseLink Licensed? ==
 
== How is EclipseLink Licensed? ==
  
The Eclipse Persistence Services (EclipseLink) project is being developed and distributed* under the [http://www.eclipse.org/legal/epl-v10.html Eclipse Public License] and the Eclipse Distribution Licensed (BSD).  
+
The EclipseLink project is dual licensed under the [http://www.eclipse.org/legal/epl-v10.html Eclipse Public License] and the [http://www.eclipse.org/org/documents/edl-v10.php Eclipse Distribution Licensed] (BSD).
  
''* The project is currently in its incubation phase so no formal releases are available. Just incubation milestone builds. For more information on the project's release plans please see the [[EclipseLink/RoadMap]]''
+
'''EclipseLink Source Header:'''
 
+
<source lang="java">
== When is the next release of EclipseLink planned? ==
+
/*******************************************************************************
 
+
* Copyright (c) 1998, 2010 Oracle. All rights reserved.
At present the Eclipse Persistence Services (EclipseLink) project is an [http://www.eclipse.org/projects/dev_process/incubation-phase.php incubating] project at Eclipse. It is producing monthly milestone as well as nightly builds which can be downloaded [http://www.eclipse.org/eclipselink/downloads/index.php here]. For more information on the release schedule please refer to the [http://www.eclipse.org/projects/project_summary.php?projectid=technology.eclipselink project summary] page or the [[EclipseLink/RoadMap | road map]].
+
* This program and the accompanying materials are made available under the
 +
* terms of the Eclipse Public License v1.0 and Eclipse Distribution License v. 1.0
 +
* which accompanies this distribution.
 +
* The Eclipse Public License is available at http://www.eclipse.org/legal/epl-v10.html
 +
* and the Eclipse Distribution License is available at
 +
* http://www.eclipse.org/org/documents/edl-v10.php.
 +
******************************************************************************/
 +
</source>
  
 
== What is the relationship between EclipseLink and the Oracle TopLink product? ==
 
== What is the relationship between EclipseLink and the Oracle TopLink product? ==
Line 21: Line 28:
 
EclipseLink was initiated based on the contribution of Oracle TopLink ([http://www.oracle.com/technology/tech/eclipse/pdf/eclipselink-faq.pdf Oracle FAQ for TopLink contribution]). the full persistence capabilities Oracle TopLink was contributed.
 
EclipseLink was initiated based on the contribution of Oracle TopLink ([http://www.oracle.com/technology/tech/eclipse/pdf/eclipselink-faq.pdf Oracle FAQ for TopLink contribution]). the full persistence capabilities Oracle TopLink was contributed.
  
Going forward Oracle TopLink will include EclipseLink to deliver its persistence functionality.
+
Going forward Oracle TopLink will include EclipseLink to deliver its core persistence functionality.
  
 
== What are the components of EclipseLink? ==
 
== What are the components of EclipseLink? ==
Line 32: Line 39:
 
* [[EclipseLink/Components#SDO| SDO]]
 
* [[EclipseLink/Components#SDO| SDO]]
 
* [[EclipseLink/Components#DBWS| DBWS]]
 
* [[EclipseLink/Components#DBWS| DBWS]]
* [[EclipseLink/Components#EIS| EIS]]
+
* [[EclipseLink/Components#NoSQL| NoSQL]]
 
* [[EclipseLink/Components#Utils| Utils]]
 
* [[EclipseLink/Components#Utils| Utils]]
 
* [[EclipseLink/Components#Examples | Examples]]
 
* [[EclipseLink/Components#Examples | Examples]]
Line 44: Line 51:
 
== How do I get started using EclipseLink? ==
 
== How do I get started using EclipseLink? ==
  
===  Where can I find documentation on EclipseLink? ===
+
# [http://www.eclipse.org/eclipselink/downloads/ Download EclipseLink]
 
+
# Review the [http://www.eclipse.org/eclipselink/documentation/ EclipseLink Documentation Center]
The complete EclipseLink User Guide is available on this wiki at [[EclipseLink/UserGuide]].
+
# [[EclipseLink/Examples | Try the EclipseLink Examples and Tutorials]]
 
+
''If you encounter any problems using the User Guide please file a bug against the [[EclipseLink/Components#Documentation | Documentation]] component.''
+
 
+
=== Where can I find examples of how to use EclipseLink? ===
+
 
+
The EclipseLink development team continually works on providing a comprehensive set of examples and how-to's for each of its persistence services that will assist customers in the quick adoption of this project. The examples are hosted on this wiki [[EclipseLink/Examples | here]].
+
  
 
== Can I use EclipseLink with Maven? ==
 
== Can I use EclipseLink with Maven? ==
Line 58: Line 59:
 
Yes, EclipseLink published a Maven repository so that developers can easily integrate the project's builds/milestones/releases into their Maven build process.  Full instructions can be found on the [[EclipseLink/Maven | EclipseLink/Maven]] page.
 
Yes, EclipseLink published a Maven repository so that developers can easily integrate the project's builds/milestones/releases into their Maven build process.  Full instructions can be found on the [[EclipseLink/Maven | EclipseLink/Maven]] page.
  
== Is SQL generated by EclipseLink vulnerable to SQL injection attacks? ==
+
[[Category:EclipseLink FAQ|General]]
No, EclipseLink generated SQL is not vulnerable to SQL injection attacks.  SQL injection attacks occur when parameters exposed to an end user are designed in such a way to execute potentially harmful SQL. 
+
 
+
eg
+
"SELECT * FROM users WHERE name = '" + userName + "';"
+
is vulnerable to an injection attack because passing in a user name of "a';DROP TABLE users;SELECT * from users where name = 'a"
+
 
+
Produces SQL like this:
+
"SELECT * FROM users WHERE name = 'a';DROP TABLE users;SELECT * from users where name = 'a';"
+
 
+
The SQL that is generated by EclipseLink prevents these types of attacks in two main ways.
+
* prepared statements.  EclipseLink supports (and defaults to) binding all SQL parameters.  As the SQL is computed before the parameter is passed in, parameterized statements are an effective mechanism for preventing SQL injection (in most resources on preventing injection attacks, prepared statements is the number one recommended solution). 
+
* escaping single quotes.  If the application chooses to have prepared statements turned off, EclipseLink parses parameters for ' and escapes them.  The escaping of the ' means that the resulting SQL will no longer pose a threat to the database (using the above example, the SQL would look something like this:
+
SELECT * FROM users WHERE name = 'a' ';DROP TABLE users;SELECT * from users where name = ' 'a';
+
 
+
There does exist within EclipseLink a mechanism to allow application developers to query directly using native SQL instead of having EclipseLink generate SQL.  Applications executing raw SQL through EclipseLink must guard against SQL injection as they are bypassing the SQL injection defenses employed by EclipseLink .
+
 
+
It should go without saying that it is never recommended to expose the native SQL to an application user, doing so would be similar to exposing JDBC API to an application user.  At this point it is no longer an injection attack issue, and more about allowing end users the capability to run any SQL on your Database. 
+
[[Category:EclipseLink FAQ]]
+

Revision as of 12:28, 30 January 2013

What is EclipseLink?

Eclipse Persistence Services Project (EclipseLink) is a comprehensive persistence framework delivering a set of persistence services based around leading standards with advanced extensions. Consumers can use EclipseLink within Java EE, SE, and OSGi/Equinox environments.

The original source contribution for EclipseLink came from Oracle Corporation's TopLink product.

See "Overview of EclipseLink" in Understanding EclipseLink (Concepts Guide) for more information.

How is EclipseLink Licensed?

The EclipseLink project is dual licensed under the Eclipse Public License and the Eclipse Distribution Licensed (BSD).

EclipseLink Source Header:

/*******************************************************************************
 * Copyright (c) 1998, 2010 Oracle. All rights reserved.
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v1.0 and Eclipse Distribution License v. 1.0
 * which accompanies this distribution.
 * The Eclipse Public License is available at http://www.eclipse.org/legal/epl-v10.html
 * and the Eclipse Distribution License is available at
 * http://www.eclipse.org/org/documents/edl-v10.php.
 ******************************************************************************/

What is the relationship between EclipseLink and the Oracle TopLink product?

EclipseLink was initiated based on the contribution of Oracle TopLink (Oracle FAQ for TopLink contribution). the full persistence capabilities Oracle TopLink was contributed.

Going forward Oracle TopLink will include EclipseLink to deliver its core persistence functionality.

What are the components of EclipseLink?

The EclipseLink project is broken down into several components based on persistence services provided as well an a structure to organize development and produce functional OSGi/Equinox bundles.

Where can I download EclipseLink?

At present EclipseLink can only be downloaded directly from the Eclipse project's website:

http://www.eclipse.org/eclipselink/downloads/index.php

How do I get started using EclipseLink?

  1. Download EclipseLink
  2. Review the EclipseLink Documentation Center
  3. Try the EclipseLink Examples and Tutorials

Can I use EclipseLink with Maven?

Yes, EclipseLink published a Maven repository so that developers can easily integrate the project's builds/milestones/releases into their Maven build process. Full instructions can be found on the EclipseLink/Maven page.