/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

SQL Injection & Optimizations Path

DZone's Guide to

SQL Injection & Optimizations Path

by
Oren Eini
·
Sep. 22, 14 · Java Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Managing a MongoDB deployment? Take a load off and live migrate to MongoDB Atlas, the official automated service, with little to no downtime.

It is silly, but I just had a conversation with one of our developers on SQL Injection. In RavenDB we support replicating to a relational database, which obviously require using SQL. We are doing things properly, with parameters and everything.

No chance for SQL Injection from there. Great, and end of a very short blog post if it was everything.

As it turned out, there is a significant performance difference between:

@p1 = 'users/1'
@p2 = 'users/2'

DELETE FROM Users WHERE Id IN (@p1,@p1)

And:

DELETE FROM Users WHERE Id IN ('users/1', 'users/2')

Enough that we added that as an option. The reason why related to the vagaries of the database query optimizer, and not really relevant.

This is off by default, obviously. And we use parameters by choice & preference. But we still added a minimal “protection” by adding: 

sqlValue.Replace("'", "''")

Considering that this isn’t meant for user’s input (it is for document ids), that is something that is annoying.

Any suggestions on how to improve this?


MongoDB Atlas is the easiest way to run the fastest-growing database for modern applications — no installation, setup, or configuration required. Easily live migrate an existing workload or start with 512MB of storage for free.

Like This Article? Read More From DZone

Thoughts on Opening Up Java EE
Azure Managed VM Images: Using Premium Data Disks
Are Your Containers Secure? An Interview With Aqua Security

Free DZone Refcard

Getting Started With Vaadin Framework 8
DOWNLOAD
Topics:

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Oren Eini, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
The Importance of Monitoring Containers
Kubernetes Deployment Models: The Ultimate Guide
The single app analytics solutions to take your web and mobile apps to the next level. Try today!
Combine the Innovations of NoSQL with the Critical Capabilities of Relational Databases
Reactive Microsystems - The Evolution of Microservices at Scale
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development
How to Build (and Scale) with Microservices
Advanced Linux Commands [Cheat Sheet]
Develop and Deploy Microservices with JHipster
Easily Build Continuous Delivery Pipelines with Jenkins and Pipeline Plugin
Discover How Not to be Slowed Down by a Rigid Relational schema or a Complicated ORM Layer

Java Partner Resources

Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
The Importance of Monitoring Containers
Kubernetes Deployment Models: The Ultimate Guide
The single app analytics solutions to take your web and mobile apps to the next level. Try today!
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone