If you need string concatentation, either use a servlet or filter (or mod_rewrite?) to first check for bad characters and send a 4XX or 5XX response if any bad characters are detected.
-Tim
Curley, Thomas wrote:
Thanks Andrey and Tim for replies - appreciate it
Has thought of setting rewrite rules in Apache and only allow valid chars in - would the value be better/worse
Thomas
-----Original Message----- From: Andrey Rogov [mailto:[EMAIL PROTECTED] Sent: 12 December 2003 12:00 To: Tomcat Users List Subject: Re: SQL Injection and Tomcat
Hi,
U can configure the Valve param in your server.xml file <Context path="" docBase="Root" debug="0"> <Valve className="path.to.your.app.BadInputFilterValve" deny="\x00,\x04,\x08,\xoa,\x0d"/> </Context>
U Can Also buy wonderfull book TOMCAT The definitive Guide
by Ian E.Darwin & Jason Brittain
CT> Hi,
CT> I have an app using MySql and TC4 on linux o JSP app
CT> Does Tomcat have any inbuild features to filter out certain characters like ', ;, etc from request URI's. Would a filters or values impl help with this or is it necessary to parse all input (may CT> affect performance)
CT> any experience
CT> thanks
CT> Thomas
CT> *********************************************************************************************
CT> This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it
CT> from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of
CT> confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the
CT> Company. This message has been scanned for known computer viruses. CT> *********************************************************************************************
CT> --------------------------------------------------------------------- CT> To unsubscribe, e-mail: [EMAIL PROTECTED] CT> For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
