Sunday, July 8, 2007

SQL-injection and OFBIZ

One of the great things about the OFBIZ entity engine is that it is well nigh impossible to make SQL-injections against it.

None of the web-application security scans I've done against OFBIZ applications have ever yielded a SQL injection vulnerability and it isn't because of careful parameter scrubbing. Looking at the code, I can't really see how any SQL injection could work. I'm not ready to declare that OFBIZ is completely free of SQL injection problems, but it is beyond me to find any.

Of course, one gives this protection up when switching to JDBC and the limitations of the entity engine may just induce one to do that. Take security into consideration when making that decision.