On Tue, 24 Apr 2001, Saumont Pierre-Yves wrote:
| Do any of you use to input data coming from an HTML form into a database
| without filtering ? Very often this data is to be output sooner or later in
| an HTML page. So, forgetting to filter for character such as ', ", < or &
| will undoubtly lead to trouble. And even without crackers, forgetting to
| filter data before inputing in the database will probably cause problems if
| it contains ' or ". I presume that in most cases, a servlet inputing data in
| a database without filtering simply won't work. So there are few chances
| that a cracker will find a working ewample to experiment with.
Use PreparedStatement instead of Statement. This statement is made using
placeholders in the SQL commands, and then you have lots of setters
(setDate bla bla) for setting those placeholders. It does all escaping
you need for you, and everything (like storing binary data) is easy.
Also you should never _filter out_ things. You should always _accept_ user
data (basically "Order deny, accept. Deny all. Accept some small subset").
So you set up a filter accepting this range, this range, this character
and thats it. Everything else is deemed suspicious. This is the safest
bet.
Endre.
--
Mvh,
Endre
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
