You can avoid most, if not all, of these types of attacks by using
prepared statements (either via straight JDBC or through your database
of choice internally). I've found that I've never had any reason to
NOT use PreparedStatements in either desktop or web based apps, and
one of the big helpers is that they automatically take care of parsing
out any weird characters that the database may not like.

-Nick

p.s. This isn't tapestry specific, it applies to ANY web based app
that is backed by a database, and allows straight query parameters in
the request line.

On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote:
> Has anyone out there given any serious thought towards a strategy for
> preventing these kinds of attacks in Tapestry forms?
> 
> examples:
> 
> http://www.securiteam.com/securityreviews/5DP0N1P76E.html
> 
> Geoff
> --
> The Spindle guy.           http://spindle.sf.net
> Get help with Spindle:
> http://lists.sourceforge.net/mailman/listinfo/spindle-user
> Announcement Feed:
> http://www.jroller.com/rss/glongman?catname=/Announcements
> Feature Updates:            http://spindle.sf.net/updates
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to