Security Question.

[JMD]

How valnurable is L2J in injections? ( I know use search but it doesnt allow me to search for some reason.)

I use Unix based OS for my server.

[janiii]

java code uses prepared statements, and these should be fine. most sql injections can come from a (bad) web based account manager system.

[Zealar]

sql injections no work in l2j i test before 2 weaks but work for stupid MU

mysql > microsoft sql

[ThePhoenixBird]

Be sure tu use a good coded account mananger and if you use a statistic system be sure also that its properly secured, L2j as default is highly secure but it can be compromised due lame php scripts running on your site.

[JMD]

Thanks for your replies.

[Vapulabe]

SQL injection comes from badly escaped parameters in SQL request. L2J uses prepared statement which should remove the problem.

Compare :

Code: Select all

rs=stm.executeQuery("SELECT * FROM XYZ WHERE aaa=''+data+"'");

And

Code: Select all

stm=db.prepareStatement("SELECT * FROM XYZ WHERE aaa= ?");stm.setString(1,data);rs=stm.executeQuery();

In the first call, you may have something like

Code: Select all

zzz'; INSERT INTO XXX(bbb,ccc) VALUES(1,2); SELECT * FROM XYZ WHERE aaa='yyy

which would execute as 3 SQL requests :

Code: Select all

SELECT * FROM XYZ WHERE aaa='zzz';INSERT INTO XXX(bbb,ccc)VALUES(1,2);SELECT * FROM XYZ WHERE aaa='yyy'

With the prepared statement, the whole string will be taken as parameter, with the ' chars understood as the ascii character and not as the string delimiter.