JDBC security in JSP
Hi,
I would like to clear a String from possible hostile SQL-commands that might exist in the String. The reason is that I get login and pw from the user (with request.getParameter) and then use that text in order to search my database for matches. So how do I get rid of all SQL-commands in the string?
It's a rather serious security-breach...
True, you can never be too security concious where a webapp is concerned but PreparedStatement's help:
PreparedStatement s = con.prepareStatement("SELECT gid FROM users WHERE id=? AND pw=?");
s.setString(1,id);
s.setString(2,pw);
s.executeUpdate();
And then a client passes:
blub OR 1=1
fuff OR 2=2
will be executed as:
SELECT gid FROM users WHERE id='blub OR 1=1' AND pw='fuff OR 2=2'
..as the setString() method also adds the single quotes.
However what you point out may be a possibility (?) for setInt() method so I guess we should be careful when using 2 setInt()'s in the same call..
HTH
Mike.
Similar Messages
-
Securing a JSP call from within the OAF
Dear All
I am calling a custom JSP file ($OA_HTML/test.jsp) from within the controller class of an OAF page using the pageContext.setForwardURL where the JSP file is registered as an AOL function, so therefore the first parameter of the setForwardURL call is the function name.
Now the whole reason of wrapping this JSP file around OAF, is to take advantage of OAF’s security framework and Apps Specific Functionality, so that we can perform various security checks and validation before proceeding with the call to the JSP page.
This is working fine and we are getting the desired result, however, there is nothing stopping someone from directly typing the call to the JSP into the browser and executing the JSP and effectively bypassing the OAF page/controller, e,g:
http://server.host.domain:port/OA_HTML/test.jsp
Now the question is, is there any way for us to either
· Prevent a direct execution of the JSP from the URL, by placing some kind of special JSP commands, which intrinsically ties the JSP with the OA controller.
· Inside JSP validate and authenticate a user.
· Any other methodologies that will secure the JSP file.
Your help and Guidance is appreciated.
Thanks
PatriceActually there is AOL security u can use to validate whether the particular jsp is directly invoked or coming from secure session.You can use code like
WebAppsContext webAppsContext = WebRequestUtil.validateContext(request, response);
The validateContext method checks whether the session associated with the request and response streams is a valid one - if so it returns a properly validated context. If the session is invalid or expired, this will take care of displaying a login page to the user and the method will return null.
--Mukul -
Is application developed by servlet more secure than jsp?
jsp has appeared, but someone still use servlet.
Those reason is that servlet can make application higher security. Is it true?Servlets are no more secure than JSPs, because JSPs are servlets - they're just another way of building the same thing. There is nothing you can do in a JSP that you can't do in a servlet or vice versa.
Why switch to or from JSPs or servlets? - you should be using both. Use servlets for heavy processing logic and JSPs for presentation (MVC pattern). That way you get maximum separation of logic and presentation. You can pretty much let HTML developers work normally, then come along afterwards and stick a little bit of Java code in the page to make it all dynamic. Better still, you can create easy-to-use custom tags that your HTML developers can easily understand without needing any programming experience. This leaves you free to work on the logic in the back-end. -
Hi,
I was wondering if anyone could help or give me some ideas for this problem I have.
The web site that I'm developing uses jsp. It has a public section and a private section that requires a username and password to log in to it. Users have the ability to upload reports to the site, which can be of various formats, including HTML (Preferably), PDF, Word, and Excel. They can also mark these reports as private, so that only people that are logged in can view them, although at the moment this just doesn't show the link on the public pages.
The problem is that people can access the reports directly using the URL without logging in (admitedly they would have to know the URL first), but they could enter, for example,
http://www.my-domain.com/reports/myreport.doc
This means there's nothing to stop them accessing these private documents.
Is there a way of placing the reports outside the browsable tomcat tree and then use the JSP to display it, or the other option I can think of is to use windows security on the folder, but I wouldn't know how to let the JSP access it without opening it up to anonymous users.
Does anyone have any ideas?
If you have any questions just reply to this post and I'll get back to you.
Thanks,
Dave.You need to take a look at reamls:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
In short, you define your realm, which is used to authentify your users.
Then, you set constraints in your web.xml file (it can be as specific as a file, or as generic as a whole folder).
If someone type a url towards a protected file, they will automagically be redirected towards a login page.
Hope this helps!
Don't hesitate to ask if you have more questions.
Patrick -
I have a JavaBean where I am just trying to display information from MySQL database.
I keep getting a null output but should really get back 1 record.
Please advise what I am doing wrong because I have spent hours on this and I cant see what I did wrong:
package num;
import java.io.*;
import java.sql.*;
import java.util.*;
public class dbBean implements Serializable
protected transient String query;
protected transient String resultTable;
protected transient Connection conn;
public dbBean()
query = null;
resultTable = null;
conn = null;
public void setResultTable(String resultTable)
this.resultTable = resultTable;
public String getResultTable()
this.viewDatabaseTable();
return resultTable;
public void viewDatabaseTable()
executeDb(query);
public void executeDb(String query)
if(conn == null)
initializeDb();
try
Statement stmt = conn.createStatement();
ResultSet results = stmt.executeQuery("SELECT * from user where lastname = 'Jones'");
while(results.next())
results.getString("lastname");
stmt.close();
results.close();
conn.close();
catch (SQLException sqle)
sqle.printStackTrace();
public void initializeDb()
try
Class.forName("org.gjt.mm.mysql.Driver");
conn = DriverManager.getConnection("jdbc:mysql://localhost/myfirst?user=root&password=mypassword");
catch (SQLException sqle)
sqle.printStackTrace();
catch (ClassNotFoundException cnfe)
cnfe.printStackTrace();
}The JSP:
<%@ page import = "num.dbBean" %>
<jsp:useBean id="db" scope="session" class="num.dbBean">
</jsp:useBean>
<html>
<body>
<jsp:getProperty name="db" property="resultTable" />
<br>
data here
</body>
</html>If I put this in a scriplet it works and I can get back a record.
Please advise.while(results.next())
results.getString("lastname");
}Well you are iterating through your result set, but you aren't doing anything with the value now are you?
String lastName = results.getString("lastname");
what do you do with this value now?
Where do you call setResultTable() from? -
Calling Oracle JDBC Driver from JSP
I have Apache Tomcat installed under Win2000 and can run simple JSP
pages without any problems. I have installed Personal Oracle 9.0.1.0.1 on my win2000 PC and I can login using sqlplus as scott/tiger. The database is up.
But when I try to access an Personal Oracle DB from a JSP page I get the following
exception:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
The server encountered an internal error (Internal Server Error) that prevented it from fulfilling this request.
root cause
java.sql.SQLException: Io exception: Bad packet type
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:180)
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:222)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Here is my JSP program:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%@page language="java" import="java.sql.*"%>
<%
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@<my host PC name>:8080:shark","scott","tiger");
Statement stmt = conn.createStatement ();
stmt.close();
// Close the connection
conn.close();
%>
Does anyone know why this error is showing up?
ThanksProblem has been resolved. I did not have the Personal Oracle DB Listener running and the port needed to be changed to 1521 on the JSP program.
-
IP based security with JSP?
Hi,
How easy/hard would it be to implement IP based security in a JSP application? I.e. We want to restrict the IP addresses that can access our application.
Is this something that can be done in the web.xml using the security contraints??
Or is it much more ocmplex than this?
(We want to prevent our customer from sharing the application with third-parties, so we can not rely on a firewall based approach)
ThanksWell, for Apache, it's easier. I think for Location to work, you need virtual directories set up. I could be wrong... Or try using Directory intead of Location. I recall Location was for something special... but I forget the details. For Apache/Tomcat, I've usually used aliases to handle directories...
Alias /ITMS "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS"
<Directory "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS">
AllowOverride None
Options Indexes
Order allow,deny
Allow from all
ExpiresActive On
ExpiresByType application/octet-stream "access plus 7 days"
ExpiresByType image/gif "access plus 7 days"
ExpiresByType image/jpeg "access plus 7 days"
ExpiresByType text/x-javascript "access plus 0 seconds"
ExpiresByType text/css "modification plus 7 days"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType text/vnd.wap.wml "access plus 0 seconds"
ExpiresDefault "now plus 1 month"
</Directory>
You can set up deny's from IP or IP range or domain.
Deny from .domain.com
Deny from 123.232.123.33
Deny from 123.232.124. -
Problem using JDBC driver with JSP
Hi, I am trying to connecto to my mysql server via a JSP page, but it seems that there is a problem with the driver call or something in my configuration that unables me to connect. I have the mysql-connector-java-3.0.7-stable driver.
This is how my classpath looks like:
CLASSPATH=/home/hooper/Sources/mysql-connector-java-4.0.7-stable/lib:/home/hooper/Sources/mysql-connector-java-3.0.7-stable/com:/home/hooper/Sources/mysql-connector-java-3.0.7-stable/mysql-connector-java-3.0.7-stable-bin.jar:/usr/java/j2sdk1.4.1_02:.:/usr/java/j2sdk1.4.1_02/lib/tools.jar:/usr/java/j2sdk1.4.1_02
And this is my JSP page code:
<%@ page language="java" import= "java.sql.*"%>
<%
Connection con = null;
String userName = "hooper";
String password = ""; //No password
String url = "jdbc:mysql://localhost/test";
//Load the Driver class file
Class.forName("com.mysql.jdbc.Driver");
//Make a connection to the MySQL database
con = DriverManager.getConnection (url, userName, password);
out.println ("Database connection established");
if (con != null){
//Close the connection
con.close();
%>
And this is the error I get from Tomcat4.1.18:
HTTP Status 500 -
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
org.apache.jasper.JasperException: com.mysql.jdbc.Driver
root cause
javax.servlet.ServletException: com.mysql.jdbc.Driver
I hope someone can help me with this.
Thanks,
LuisHi..
Try using this way
String userName = "hooper";
String password = ""; //No password
String url = "jdbc:mysql://localhost:3306/test";
Class.forName("org.gjt.mm.mysql.Driver");
try to download the driver for mysql and add it to your classpath
Hope this works
Regd
Vasi -
Portal time out with large jdbc query in JSP bean
Hi,
My JSP portlet always times out while waiting to complete two large JDBC queries. The error shown in my jserv.log file is:
[28/03/2002 12:41:51:221 GMT+08:00] page/Fetching timed out for an Unknown Reason. Killing fetcher name=content-fetcher2 label=174 url=http://mephistopheles.au.oracle.com/servlet/agcharts time=120633
[28/03/2002 12:43:10:595 GMT+08:00] page/UncaughtException in thread name=content-fetcher2, starting a new fetcher after exception
java.lang.ThreadDeath
Is there some particular settings I can modify to prevent the content fetcher from timing out? CheersThanks. The charts portlet now can be delayed up to the required ~10mins before returning data from the large query. This works in conjunction with changes in the directives/parameters for Jserv and httpd(Note:180548.1)
Shankar,
Normally, you can increase the time out in the portlet tag of the provider.xml file. The timeout is in seconds, you should also increase the provider timeout. This is done in the provider registration screen.
<timeout>60</timeout>
<timeoutMessage>My Portlet Timed Out</timeoutMessage>
Please note that if you set the timeout too high and your portlet is really not coming up, you page will wait the 60, 90, 120, etc seconds for the portlet to timeout, so be careful will portlet and provider timeouts.
Sue -
Any JDBC beans available for JSP? I know regular JDBC can be used but putting database connection logic in jsp sort of destroys its purpose. Are any beans in the works? Freeware/OSS beans?
Yes, we are working on some JDBC-based beans to facilitate database access. Ours is not available yet, not sure about other freeware.
-
Hi, experts,
I am new to java and j2ee.
I have one basic question.
Let's assume that I get a jdbc connection in the beginning of a jsp file and close it at the end.
(I know it is a bad coding practice.)
Let's say. I want to open that jsp file.
When I open that page, it will open a connection and close it when the page is completely loaded.
My question is this:
What happens to the connection when I close the page before it is completely loaded?
i.e., if I close the page before it closes the connection???
I just want to know about this for my knowledge of java.
Thank you for your help.Hi, experts,
I am new to java and j2ee.
I have one basic question.
Let's assume that I get a jdbc connection in the beginning of a jsp file and close it at the end.
(I know it is a bad coding practice.)
Let's say. I want to open that jsp file.
When I open that page, it will open a connection and close it when the page is completely loaded.
My question is this:
What happens to the connection when I close the page before it is completely loaded?
i.e., if I close the page before it closes the connection???
I just want to know about this for my knowledge of java.
Thank you for your help. -
JApplet JDBC Bridge on jsp?
Using the JSP JDBC as the JApplet JDBC, is this possible?
I was planning to use the .jsp JDBC to the JDBC of the JApplet inside that .jsp.
Or in other terms, could I run the JApplet on as a server instead of the client?
I want to run the JApplet JDBC, but I couldn't because the JApplet runs as a client.
Thanks,
Cyril H.You can have make a servlet that's on the same server where the applet is coming from and then have the applet connect back to that server to ask the serverside to perform database access.
-
How can i give my users limited access to my JSPs, i.e i should be able to give access to different JSPs based on user.Can i do it?
Look at the security section of the spec. Simplest implementation uses
resource-level security, where resource could be a dir, extension or a
specific JSP.
Peace,
Cameron Purdy
Tangosol Inc.
<< Tangosol Server: How Weblogic applications are customized >>
<< Download now from http://www.tangosol.com/download.jsp >>
"nandu" <[email protected]> wrote in message
news:3b696405$[email protected]..
> How can i give my users limited access to my JSPs, i.e i should be able
to give access to different JSPs based on user.Can i do it?
-
Oracle 9.2 JDBC Security Issue
I cannot establish an Oracle connection using Oracle 9.2 JDBC in an applet (linking against classes12.zip or classes12.jar).
An application version of that applet works fine: the connection is established and I can select, insert, call PL/SQL procedures, etc...
The applet version, however, fails to connect, and raise a Security exception with the following message:
"java.util.PropertyPermission oracle.jserver.version read".
Needless to say, the applet and the database are on the same server.
Also, the security exception is not raised if I link my code against either classes111.zip or classes12.zip from an old Oracle 8.1.6 release: the applet connects OK.
As I am currently developing an upgrade of this old Oracle 8.1.6 release to Oracle 9.2, I wish I make profit of the improved features found in your new JDBC releases.
Do you have any idea on how to fix the problem ?
Note: I am using Oracle 9.2 developer release for MAC OS X, which otherwise works perfectly well for my purposes.
Thank youHello,
Can you provide a test case for such behaviour? And the versions of JDK used in those samples ....
It would be easier if we isolate java 1.5 issues from ojdbc issues.
Rick B. -
help me
Please can you help me with java policy file modifications
I would like to use jdbc-odbc,but when I try to connect it says access denied.
some code would be helpfull
thanksHi !
I am facing security problem with jdbc-odbc bridge too. what permission should i set in java.policy file so that servlet can connect with database via jdbc-odbc bridge ?? when i give all premision servlet easy connect with database but when i restrict permission .. it throws NoClassDefFoundException for sun.jdbc.odbc.JdbcOdbcDriver... Please any body help me tell me exact permission to set.
Maybe you are looking for
-
Can't delete calendars or events from iCal
I'm trying to delete Calendars from iCal, but after I delete them, they reappear. I've tried deleting the calendars and calendar cache from the user library, but to no avail. In addition, when I try to change or delete an event, it ends up duplicatin
-
Some sampe financial reports developed in abap ?
Hi, Can some one list or explain some sample custom FI/CO related reports that can be developed using ABAP ? Typically asked in client environment. I want to practise ALV reporting. thanks
-
Animate like the lines in all layers are drawn one after another
Hai there, With my inkling pen i've created a drawing for PS. It now contains 30 layers, each one has a line. I would like to animate these lines/layers, so it looks (in an animated gif) like the lines are drawn one by one. Is there a "quick" way to
-
ADF Authorization for ADF Mobile:Configuring Access Control URL for ADF App
Can someone explain, how to expose weblogic user roles as a Rest Json Api? Basically I want to set up Access Control URL to authorize users on adf mobile.
-
Problem trying to download SAP Mobile Platform SDK - Developer Edition
Dear All, when i try to go on: SAP Mobile Platform Developer Center and I click on: Download SAP Mobile Platform SDK - Developer Edition The system is returning to me: Forbidden You don't have permission to access /sap/cp/ui/resources/store/html/Solu