XML file and SQL injection

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

XML file and SQL injection

o foudroyant
Hi,

I am considering myBatis for my project. And I want to know how to
protect the xml file where the sql queries are saved.
If someone edit them, he can modify a query and do what ever he wants.
Or he can see how is the database structure.
Can I encrypt the xml file ? Or do something else ?

Thank you for your answers!
Reply | Threaded
Open this post in threaded view
|

Re: XML file and SQL injection

Clinton Begin
Administrator
How do you protect you class files?  Jar files?  The rest of the filesystem?

On 2010-09-25, o foudroyant <[hidden email]> wrote:
> Hi,
>
> I am considering myBatis for my project. And I want to know how to
> protect the xml file where the sql queries are saved.
> If someone edit them, he can modify a query and do what ever he wants.
> Or he can see how is the database structure.
> Can I encrypt the xml file ? Or do something else ?
>
> Thank you for your answers!

--
Sent from my mobile device
Reply | Threaded
Open this post in threaded view
|

Re: XML file and SQL injection

o foudroyant
They are not really protected. If someone decompile them, they can see
the source code.
But it will be much work to do this compared to edit a simple xml
file.
It was a simple question : do not be so sarcastic like you know
everything.

On 25 sep, 15:43, Clinton Begin <[hidden email]> wrote:

> How do you protect you class files?  Jar files?  The rest of the filesystem?
>
> On 2010-09-25, o foudroyant <[hidden email]> wrote:
>
> > Hi,
>
> > I am considering myBatis for my project. And I want to know how to
> > protect the xml file where the sql queries are saved.
> > If someone edit them, he can modify a query and do what ever he wants.
> > Or he can see how is the database structure.
> > Can I encrypt the xml file ? Or do something else ?
>
> > Thank you for your answers!
>
> --
> Sent from my mobile device
Reply | Threaded
Open this post in threaded view
|

Re: XML file and SQL injection

François Schiettecatte
I dont think he was being sarcastic at all, he has some very valid points, the xml files are wrapped up in the jar file, so if someone has access to that they have access to the xml files, besides if they have access to the jar files presumably they can do some amount of damage... I am sure the OS you are running on offers plenty of tools to protect your app files from nosey users.

François

On Sep 25, 2010, at 3:50 PM, o foudroyant wrote:

> They are not really protected. If someone decompile them, they can see
> the source code.
> But it will be much work to do this compared to edit a simple xml
> file.
> It was a simple question : do not be so sarcastic like you know
> everything.
>
> On 25 sep, 15:43, Clinton Begin <[hidden email]> wrote:
>> How do you protect you class files?  Jar files?  The rest of the filesystem?
>>
>> On 2010-09-25, o foudroyant <[hidden email]> wrote:
>>
>>> Hi,
>>
>>> I am considering myBatis for my project. And I want to know how to
>>> protect the xml file where the sql queries are saved.
>>> If someone edit them, he can modify a query and do what ever he wants.
>>> Or he can see how is the database structure.
>>> Can I encrypt the xml file ? Or do something else ?
>>
>>> Thank you for your answers!
>>
>> --
>> Sent from my mobile device

Reply | Threaded
Open this post in threaded view
|

Re: XML file and SQL injection

o foudroyant
Thank you for your answer François. I did not know that the xml file
is wrapped in a jar file.
The "someone" has to go through all the OS security. That's right. I
was just wondering how can I protect the xml file.
You give me the answer. Thank you. I will check.

On 25 sep, 15:57, François Schiettecatte <[hidden email]>
wrote:

> I dont think he was being sarcastic at all, he has some very valid points, the xml files are wrapped up in the jar file, so if someone has access to that they have access to the xml files, besides if they have access to the jar files presumably they can do some amount of damage... I am sure the OS you are running on offers plenty of tools to protect your app files from nosey users.
>
> François
>
> On Sep 25, 2010, at 3:50 PM, o foudroyant wrote:
>
> > They are not really protected. If someone decompile them, they can see
> > the source code.
> > But it will be much work to do this compared to edit a simple xml
> > file.
> > It was a simple question : do not be so sarcastic like you know
> > everything.
>
> > On 25 sep, 15:43, Clinton Begin <[hidden email]> wrote:
> >> How do you protect you class files?  Jar files?  The rest of the filesystem?
>
> >> On 2010-09-25, o foudroyant <[hidden email]> wrote:
>
> >>> Hi,
>
> >>> I am considering myBatis for my project. And I want to know how to
> >>> protect the xml file where the sql queries are saved.
> >>> If someone edit them, he can modify a query and do what ever he wants.
> >>> Or he can see how is the database structure.
> >>> Can I encrypt the xml file ? Or do something else ?
>
> >>> Thank you for your answers!
>
> >> --
> >> Sent from my mobile device
Reply | Threaded
Open this post in threaded view
|

Re: XML file and SQL injection

François Schiettecatte
I am pretty sure you can put the xml files wherever you want on the file system, I just wrap them up in my application jar file for convenience.

F.

On Sep 25, 2010, at 4:05 PM, o foudroyant wrote:

> Thank you for your answer François. I did not know that the xml file
> is wrapped in a jar file.
> The "someone" has to go through all the OS security. That's right. I
> was just wondering how can I protect the xml file.
> You give me the answer. Thank you. I will check.
>
> On 25 sep, 15:57, François Schiettecatte <[hidden email]>
> wrote:
>> I dont think he was being sarcastic at all, he has some very valid points, the xml files are wrapped up in the jar file, so if someone has access to that they have access to the xml files, besides if they have access to the jar files presumably they can do some amount of damage... I am sure the OS you are running on offers plenty of tools to protect your app files from nosey users.
>>
>> François
>>
>> On Sep 25, 2010, at 3:50 PM, o foudroyant wrote:
>>
>>> They are not really protected. If someone decompile them, they can see
>>> the source code.
>>> But it will be much work to do this compared to edit a simple xml
>>> file.
>>> It was a simple question : do not be so sarcastic like you know
>>> everything.
>>
>>> On 25 sep, 15:43, Clinton Begin <[hidden email]> wrote:
>>>> How do you protect you class files?  Jar files?  The rest of the filesystem?
>>
>>>> On 2010-09-25, o foudroyant <[hidden email]> wrote:
>>
>>>>> Hi,
>>
>>>>> I am considering myBatis for my project. And I want to know how to
>>>>> protect the xml file where the sql queries are saved.
>>>>> If someone edit them, he can modify a query and do what ever he wants.
>>>>> Or he can see how is the database structure.
>>>>> Can I encrypt the xml file ? Or do something else ?
>>
>>>>> Thank you for your answers!
>>
>>>> --
>>>> Sent from my mobile device

Reply | Threaded
Open this post in threaded view
|

Re: XML file and SQL injection

Clinton Begin
Administrator
In reply to this post by o foudroyant
It wasn't sarcasm.  It's quite serious.  Good luck.

On 2010-09-25, o foudroyant <[hidden email]> wrote:

> They are not really protected. If someone decompile them, they can see
> the source code.
> But it will be much work to do this compared to edit a simple xml
> file.
> It was a simple question : do not be so sarcastic like you know
> everything.
>
> On 25 sep, 15:43, Clinton Begin <[hidden email]> wrote:
>> How do you protect you class files?  Jar files?  The rest of the
>> filesystem?
>>
>> On 2010-09-25, o foudroyant <[hidden email]> wrote:
>>
>> > Hi,
>>
>> > I am considering myBatis for my project. And I want to know how to
>> > protect the xml file where the sql queries are saved.
>> > If someone edit them, he can modify a query and do what ever he wants.
>> > Or he can see how is the database structure.
>> > Can I encrypt the xml file ? Or do something else ?
>>
>> > Thank you for your answers!
>>
>> --
>> Sent from my mobile device

--
Sent from my mobile device
Reply | Threaded
Open this post in threaded view
|

Re: XML file and SQL injection

Eduardo Macarron
In reply to this post by o foudroyant
o,

sql injection means that you take some info from user input and when
you inseert that data in your sql sentences so they don`t do what you
wasa expecting.

i.e you get userId from imput and execute select * from users where
id=userId and that my becomes into select * from users wher id=1; drop
table users;

But your source code _must_ be reliable and properly secured and xml
files are part of it.

On 25 sep, 21:26, o foudroyant <[hidden email]> wrote:
> Hi,
>
> I am considering myBatis for my project. And I want to know how to
> protect the xml file where the sql queries are saved.
> If someone edit them, he can modify a query and do what ever he wants.
> Or he can see how is the database structure.
> Can I encrypt the xml file ? Or do something else ?
>
> Thank you for your answers!