I use sybase database.
If I want to use OWASP ESAPI to prevent SQL Injection
Which codec I should use?
OracleCodec ? MySQLCodec ? DB2Codec ? https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/codecs/package-summary.html
Thank you!
First and foremost, do not use ESAPI to prevent SQL Injection. The design intent of all of the SQL encoding codecs that exist, was to provide an emergency measure in incidents where a website got hacked, and you need something quick and dirty in place while you rewrite all your queries to use Prepared Statements.
Here's an excerpt of documentation for the OracleCodec:
/**
* Implementation of the Codec interface for Oracle strings. This function will only protect you from SQLi in the case of user data
* bring placed within an Oracle quoted string such as:
*
* select * from table where user_name=' USERDATA ';
Ignore the following words from the Sybase manual:
Do not prepare statements that are used only once
Use Prepared Statements or stored procedures for all database transactions. In almost a decade of engineering, I've never actually seen a real life performance penalty for using Prepared Statements. In most languages, performance improves. This is certainly the case for Java.
Here's what a Prepared Statement looks like:
[2019 EDIT]
The below code could technically be an SQLi itself, back when I wrote this I meant to point out that the dbName parameter is safe to use in this way only when the server has absolute control over the value.[/2019]
String updateString =
"update " + dbName + ".COFFEES " +
"set SALES = ? where COF_NAME = ?";
updateSales = con.prepareStatement(updateString);
There is currently no Sybase codec provided by ESAPI, and there are currently no plans to develop one.
Source: I am currently project co-lead for ESAPI.