I am writing a DELETE statement using the JDBC component and want to make
sure there is no SQL injection possibilities. My statement does not have
any input parameters, is basically a table with a few columns including one
called MOD_TIME.
The SQL statement is in a bean
DELETE FROM MY_TABLE WHERE MOD_TIME <= current timestamp - 2 days";
Since I have no bind variables or other parameters I assume it is not
possible to inject SQL but not completely sure.
Would I want to set the allowNamedParameters to false to be double sure and
what is the benefit?
I read about one security issue related to stylesheets where someone can get
submit messages to a route, not sure how that would work, how do people gain
access to a route and can they submit arbitrary SQL, I don't think so.
Route
<route id="db-purger">
<from uri="quartz2://myGroup/purgeTable?cron=0 20 */1 * * ?" />
<log message="Running purge at ${date:now:yyyy-MM-dd HH:mm:ss
z}"/>
<bean ref="purgeBean" method="deleteProcessData"/>
<to uri="jdbc://myDataSource"/>
<log message="Rows deleted from PROCESS_TABLE:
$simple{header.CamelJdbcUpdateCount} "/>
</route>
sure there is no SQL injection possibilities. My statement does not have
any input parameters, is basically a table with a few columns including one
called MOD_TIME.
The SQL statement is in a bean
DELETE FROM MY_TABLE WHERE MOD_TIME <= current timestamp - 2 days";
Since I have no bind variables or other parameters I assume it is not
possible to inject SQL but not completely sure.
Would I want to set the allowNamedParameters to false to be double sure and
what is the benefit?
I read about one security issue related to stylesheets where someone can get
submit messages to a route, not sure how that would work, how do people gain
access to a route and can they submit arbitrary SQL, I don't think so.
Route
<route id="db-purger">
<from uri="quartz2://myGroup/purgeTable?cron=0 20 */1 * * ?" />
<log message="Running purge at ${date:now:yyyy-MM-dd HH:mm:ss
z}"/>
<bean ref="purgeBean" method="deleteProcessData"/>
<to uri="jdbc://myDataSource"/>
<log message="Rows deleted from PROCESS_TABLE:
$simple{header.CamelJdbcUpdateCount} "/>
</route>