|
|
|
Protect against SQL injection 1 |
There are multiple methods to protect against SQL injection attack. Few of them are
1. Always filter user provided data
2. Always sanitize user provided data String.replaceAll, mysql_real_escape_string
3. Always use Parameterized Queries
4. Use different database users for select, insert, delete
5. Encrypt passowrds before storing in the database
1A. Use ServletFilter to filter risky data when using Java
<filter>
<filter-name>FilterUsage1</filter-name>
<filter-class>com.company.servlet.FilterUsage1</filter-class>
</filter>
<filter-mapping>
<filter-name>FilterUsage1</filter-name>
<url-pattern>/Servlet1</url-pattern>
</filter-mapping>
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
String maliciousStr = request.getParameter("maliciousStr");
if (maliciousStr != null && maliciousStr.contains("'")) {
request.setAttribute("errorMsg", "Single quote not allowed.");
req.getRequestDispatcher("/jsp/filterusage1.jsp").forward(req, res);
return;
}
chain.doFilter(req, res);
}
For more info follow Filter-usage-to-prevent-malicious-data-1.php
1B. Use PHP Filter to filter risky data when using PHP
<?php
// filtering by variable
$var1 = filter_var($_GET["arg1"], FILTER_VALIDATE_BOOLEAN);
$var2 = filter_var($_GET["arg2"], FILTER_VALIDATE_EMAIL);
$var3 = filter_var($_GET["arg3"], FILTER_VALIDATE_FLOAT);
$var4 = filter_var($_GET["arg4"], FILTER_VALIDATE_INT);
$var5 = filter_var($_GET["arg5"], FILTER_VALIDATE_IP);
$var6 = filter_var($_GET["arg6"], FILTER_VALIDATE_REGEXP);
$var7 = filter_var($_GET["arg7"], FILTER_VALIDATE_URL);
// filtering by input
$input1 = filter_input($_GET["arg1"], FILTER_VALIDATE_BOOLEAN);
$input2 = filter_input($_GET["arg2"], FILTER_VALIDATE_EMAIL);
$input3 = filter_input($_GET["arg3"], FILTER_VALIDATE_FLOAT);
$input4 = filter_input($_GET["arg4"], FILTER_VALIDATE_INT);
$input5 = filter_input($_GET["arg5"], FILTER_VALIDATE_IP);
$input6 = filter_input($_GET["arg6"], FILTER_VALIDATE_REGEXP);
$input7 = filter_input($_GET["arg7"], FILTER_VALIDATE_URL);
?>
2. Use replace/remove functions to sanitize the data.
In JAVA use String.replaceAll(expr, substitute) to replace all single quotes with \' so that single quote is escaped by database.
In PHP/MySQL use mysql_real_escape_string() function to escape single quote.
$maliciousStr = mysql_real_escape_string($maliciousStr);
3A. Use PreparedStatement than a Statement in all JDBC calls like following
protect-against-sql-injection.jsp
<%@ page import="java.sql.*" %>
<html>
<body>
<%
Connection con = null;
PreparedStatement pstmt = null;
ResultSet rs = null;
String query = "SELECT FIRST_NM, LAST_NM, DT_OF_BIRTH FROM EMPLOYEE_DTL WHERE FIRST_NM = ? ";
String firstName = request.getParameter("firstName");
if(firstName != null)
{
Class.forName("org.hsqldb.jdbcDriver");
con = DriverManager.getConnection("jdbc:hsqldb:hsql://localhost/trupti_db", "SA", "");
pstmt = con.prepareStatement(query);
pstmt.setString(1,firstName);
rs = pstmt.executeQuery();
out.print("<table border='1' bgcolor='#EFEFEF'>");
out.print("<tr>");
out.print("<td><b>FIRST_NM</b></td>");
out.print("<td><b>LAST_NM</b></td>");
out.print("<td><b>DT_OF_BIRTH</b></td>");
out.print("</tr>");
while(rs.next())
{
out.print("<tr>");
out.print("<td>"+rs.getString("FIRST_NM")+"</td>");
out.print("<td>"+rs.getString("LAST_NM")+"</td>");
out.print("<td>"+rs.getString("DT_OF_BIRTH")+"</td>");
out.print("</tr>");
}
out.print("</table>");
}
if(rs!=null)rs.close();
if(pstmt!=null)pstmt.close();
if(con!=null)con.close();
%>
<form name='frm' method='post' >
<input type='text' name='firstName' value='' />
<input type='submit' name='submit' value='Search' />
</form>
</body>
</html>
|
|
|
| How to loop arraylist JAVA6 Syntax
|
| How to iterrate through ArrayList and display multiple rows using for loop JAVA6 syntax..
|
| Java JSP |
2010-Oct-12 |
| How to loop arraylist
|
| How to iterrate through ArrayList and display multiple rows using for loop, JSTL tags..
|
| Java JSP |
2010-Oct-12 |
| Consumer using JAX WS Dispatch API and DOM parser 1
|
| Access/Consume Webservice using Servlet, JAX-WS Dispatch API dynamic client and parsing SOAP response using DOM parser...
|
| Java Webservice |
2010-Sep-20 |
| Simple Java first CXF Webservice 4
|
| Building Simple Java first CXF webservice using CXFServlet, Spring, jaxws:endpoint, @WebService, @SOAPBinding, @WebResult
|
| Java Webservice |
2010-Sep-19 |
| Simple Java first CXF Webservice 3
|
| Building Simple Java first CXF webservice using CXFServlet, Spring, jaxws:endpoint, @WebService, @SOAPBinding, @WebResult
|
| Java Webservice |
2010-Sep-18 |
| Simple Java first CXF Webservice 1
|
| Building Simple Java first CXF webservice using CXFServlet, Spring, jaxws:endpoint, @WebService, @SOAPBinding, @WebResult
|
| Java Webservice |
2010-Sep-18 |
| Simple Java first CXF Webservice 2
|
| Building Simple Java first CXF webservice using CXFServlet, Spring, jaxws:endpoint, @WebService, @SOAPBinding, @WebResult
|
| Java Webservice |
2010-Sep-18 |
| Encoding special characters in userinput or on server
|
| Encoding can be done either in Javascript or JAVA encodeURIComponent, escape, java.net.URLEncoder..
|
| Java JSP |
2010-Aug-09 |
| Jstl fmt tag i18n formatdate formatcurrency
|
| fmt:setBundle, native2ascii.exe, fmt:message, fmt:setLocale, fmt:formatDate, fmt:formatNumber type=currency..
|
| Java JSP |
2010-Aug-05 |
| How to read and write a file
|
| How to read and write a file java.io.BufferedReader,java.io.FileReader, InputStreamReader ...
|
| Java J2SE |
2010-Aug-04 |
| jQuery validate form using ajax 2
|
| How to validate/submit form using ajax and jQuery input#, ($.ajax)..
|
| Javascript |
2010-Jul-23 |
| jQuery validate form using ajax 1
|
| How to validate/submit form using ajax and jQuery ($.ajax)..
|
| Javascript |
2010-Jul-23 |
| How to create datasource in RAD Websphere
|
| Create JDBC provider, datasource and JAAS security setup, JDBC connection URLs
|
| Servers Websphere |
2010-Jul-08 |
| Get Started 4
|
| Struts2 framework structure, how various components fit together
|
| Java Struts2 |
2010-Jul-07 |
| How to populate a form when JSP is called first time
|
| This is achieved throught setting bean in request, using frameworks like Struts2, Spring3..
|
| Java JSP |
2010-Jul-07 |
| Spring3 And Hibernate 4
|
| Spring3 and Hibernate 3.5.3 working together @Controller, @RequestMapping, @InitBinder, HibernateTransactionManager, LocalSessionFactoryBean, HibernateTemplate
|
| Java Spring |
2010-Jul-07 |
|
|
