/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

SQL Injection & Optimizations Path

DZone's Guide to

SQL Injection & Optimizations Path

by
Oren Eini
·
Sep. 22, 14 · Java Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Learn how to troubleshoot and diagnose some of the most common performance issues in Java today. Brought to you in partnership with AppDynamics.

It is silly, but I just had a conversation with one of our developers on SQL Injection. In RavenDB we support replicating to a relational database, which obviously require using SQL. We are doing things properly, with parameters and everything.

No chance for SQL Injection from there. Great, and end of a very short blog post if it was everything.

As it turned out, there is a significant performance difference between:

@p1 = 'users/1'
@p2 = 'users/2'

DELETE FROM Users WHERE Id IN (@p1,@p1)

And:

DELETE FROM Users WHERE Id IN ('users/1', 'users/2')

Enough that we added that as an option. The reason why related to the vagaries of the database query optimizer, and not really relevant.

This is off by default, obviously. And we use parameters by choice & preference. But we still added a minimal “protection” by adding: 

sqlValue.Replace("'", "''")

Considering that this isn’t meant for user’s input (it is for document ids), that is something that is annoying.

Any suggestions on how to improve this?


Understand the needs and benefits around implementing the right monitoring solution for a growing containerized market. Brought to you in partnership with AppDynamics.

Like This Article? Read More From DZone

AppNeta vs. NetFlow: App Identification Without the Overhead
Introducing Mesos-Native Health Checks in Apache Mesos (Part 2)
Everything You Need to Know About Mobile App Architecture

Free DZone Refcard

Contexts and Dependency Injection for the Java EE Platform
DOWNLOAD
Topics:

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Oren Eini, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Reactive Microservices Architecture: Design Principles for Distributed Systems
Developing Reactive Microservices: Enterprise Implementation in Java
Modern Java EE Design Patterns
Download the Complimentary O’Reilly eBook on Cloud-Native Java, Spring, and Cloud Foundry
Jenkins, Docker and DevOps: The Innovation Catalysts
Extend Java Apps to Mobile and Cloud
Download a Complimentary O’Reilly eBook on Cloud-Native Application Architectures
Migrating to Microservice Databases
CA App Experience Analytics, a whole new level of visibility. Learn more.
Easily Build Continuous Delivery Pipelines with Jenkins and Pipeline Plugin
A Practical Guide to Learning Git
The Importance of Monitoring Containers

Java Partner Resources

Reactive Microservices Architecture: Design Principles for Distributed Systems
Developing Reactive Microservices: Enterprise Implementation in Java
Modern Java EE Design Patterns
Download the Complimentary O’Reilly eBook on Cloud-Native Java, Spring, and Cloud Foundry
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone