--- Jim Barrows <[EMAIL PROTECTED]> wrote:
>
>
> > -----Original Message-----
> > From: Woodchuck [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 25, 2004 9:44 AM
> > To: struts
> > Subject: best practice for handling single/double quotes, html
> > characters, sql injection/poisoning
> >
> >
> > hihi,
> >
> > does struts or jstl have a good way to handle data coming
> > back from the
> > database that contains things like:
> > - ' (single quote)
> > - " (double quote)
> > - <,> (html characters)
>
> No
darn.
>
> >
> > and also to prevent agains sql injection/poisoning attacks?
> >
> > can someone shed light on best practice suggestions?
>
> My anti-injection techniques consist of:
> 1) Use prepared statements whenever possible. It will handle most of
> your concerns automagically.
> 2) If you're really paranoid, use a filter to go through all
> parameters on the way in looking for
> select.*from.*[(table1)(table2)], insert.*[(table1)(table2)] and
> other SQL syntax as well. [1]
> 3) HTML, you'r looking for cross site scripting stuff, which, iirc is
> covered with \<a.*href= and \<img in fields where you know you don't
> want to allow any html.[1]
>
> Then the filter flags to email any generic (ie select.*from) for
> human eyeballs, and rejects on sql pattern that also includes table
> names. Does the same for html, although I do more flagging then
> rejecting.
>
> Looking for quotes and the like is fine, but there are so many
> exceptions that it's easier to use jakarta-oro or jakarta-regex to
> look for the things that are really a problem, and act on those.
>
>
> [1]Don't trust my regexes I'm doing this off the top of my head.
>
thanks a lot, i like using regex to do format and even (literal) type
validation.. regex makes doing these validations easier imo, and as you
suggested for filtering purposes
unfortunately my application is not database specific so i am using
jdbc and passing in embedded simple sql query and update statements
(and emulating the complicated routines that are often found in stored
procedures like cursors, etc. in the java layer instead).
so i guess i will write a function that all data being saved must pass
through before actually saving to eliminate sql injection/poisoning.
and another function to prevent my html pages from breaking for data
coming out of the database (ie. for single/double quotes, html
characters)
the QA ppl here i'm sure will have fun trying to break my app. so how
paranoid my filters get will depend what level of "user from hell" they
are, hehe.
thanks again!
woodchuck
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
