Avoid SQL Injection in ADFBC.
Securely using ADFBC.
ADF BC is a robust framework that lets developers simplify code for Data Access in ADF Application. ADF does a great Job by using prepared statements across all SQLs it generates. Thus improving security of the application.
ADF developers are also given a access to write their own where clause on a view Object using the setWhereClause method on View Object.
Most developers tend to misuse this method by typing in statements by appending strings. Which can be used to inject SQL
for e.g.
Wrong Way
The best way to use this method securely is
Correct Way
Securely using ADFBC.
ADF BC is a robust framework that lets developers simplify code for Data Access in ADF Application. ADF does a great Job by using prepared statements across all SQLs it generates. Thus improving security of the application.
ADF developers are also given a access to write their own where clause on a view Object using the setWhereClause method on View Object.
Most developers tend to misuse this method by typing in statements by appending strings. Which can be used to inject SQL
for e.g.
Wrong Way
vo.setWhereClause(“OrderNumber = ‘”+ pOrderNo + “’”) vo.executeQuery()
The best way to use this method securely is
Correct Way
vo.setWhereClause(“OrderNumber = ?”) vo.setWhereClauseParams(new Object[] { pOrderNo }); vo.executeQuery() vo.setWhereClauseParams(null);
