RE: Repost: Global request parameter filtering
Just "a pointer" to the following >Any pointers? >How do you filter your sql sensitive characters? If you use java.sql.PreparedStatement you should not require any manual characters filtering or escaping. My two cents, Patrick Quoting Mike Whittaker <[EMAIL PROTECTED]>: > > Okay, no one seems to have any suggestions so having thought about this for > about a week now here is what I propose to do. > > I'm just trying to implement very simple forms the struts way, > prepopulation > & validation are not major concerns at the moment but I'd like to keep the > option open. > My main requirement is to retain global filtering of all request > parameters, > for instance to keep a database secure by escaping sensitive sql > characters. > > My other requirement is small url's with tiny parameter names. > > 1/ Use DynaActionForms to define these tiny parameter names. > 2/ The DynaActionForms will be a DAF subclass, which will implement an > interface that specifies at least the set & get methods. > 3/ Either the attributes of this DAF can be altered (eg filtering > characters) with the aid of BeanUtils or a duplicate can be made to which > this is done. > 4/ Objects of type ThisInterface, can then be shipped to the Buisness layer > struts being transparent. > 5/ The business layer can utilise a meaningful Constants interface that > makes the tiny parameter names more meaningful. > > Does this sound okay? > > This was my other post on the same subject that has been lost in the > postings barrage! > > >Say for instance you want to filter for all the ' " \ characters in > request > >parameters > >either removing them, or escaping them. > > > >Either way if you do it before the action form gets them, then on > >prepopulation of form fields the user will see these alterations (not > >desirable). > >If you do it after you decide the form won't be returned then: > > > >a) It becomes difficult because you have just form bean method calls to > get > >the parameters something like filter(getMyString()) becomes a pain and > open > >to missing out the filtering with potentially disastorous consequences! > > > >b) If you decided to somehow globally alter a session scoped form > >then again > >you have prepopulation alterations. > > > >I have seen that RequestProcessor may offer hope, I'd like to know > >the order > >that these RP methods are called. > > > >I realise that I could use BeanUtils and make a DynaBean copy of a form > >bean, filtering the parameters during the copy. Just seems overkill, and > >yet another object in the request. > > > >Any pointers? > >How do you filter your sql sensitive characters? > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Portable: +41 (0)76 446 97 12 Fixe: +41 (0)32 71 007 74 Web: http://www.extentis.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Repost: Global request parameter filtering
Okay, no one seems to have any suggestions so having thought about this for about a week now here is what I propose to do. I'm just trying to implement very simple forms the struts way, prepopulation & validation are not major concerns at the moment but I'd like to keep the option open. My main requirement is to retain global filtering of all request parameters, for instance to keep a database secure by escaping sensitive sql characters. My other requirement is small url's with tiny parameter names. 1/ Use DynaActionForms to define these tiny parameter names. 2/ The DynaActionForms will be a DAF subclass, which will implement an interface that specifies at least the set & get methods. 3/ Either the attributes of this DAF can be altered (eg filtering characters) with the aid of BeanUtils or a duplicate can be made to which this is done. 4/ Objects of type ThisInterface, can then be shipped to the Buisness layer struts being transparent. 5/ The business layer can utilise a meaningful Constants interface that makes the tiny parameter names more meaningful. Does this sound okay? This was my other post on the same subject that has been lost in the postings barrage! >Say for instance you want to filter for all the ' " \ characters in request >parameters >either removing them, or escaping them. > >Either way if you do it before the action form gets them, then on >prepopulation of form fields the user will see these alterations (not >desirable). >If you do it after you decide the form won't be returned then: > >a) It becomes difficult because you have just form bean method calls to get >the parameters something like filter(getMyString()) becomes a pain and open >to missing out the filtering with potentially disastorous consequences! > >b) If you decided to somehow globally alter a session scoped form >then again >you have prepopulation alterations. > >I have seen that RequestProcessor may offer hope, I'd like to know >the order >that these RP methods are called. > >I realise that I could use BeanUtils and make a DynaBean copy of a form >bean, filtering the parameters during the copy. Just seems overkill, and >yet another object in the request. > >Any pointers? >How do you filter your sql sensitive characters? > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Repost: Global request parameter filtering
Sorry to be a pain ~~ Say for instance you want to filter for all the ' " \ characters in request parameters either removing them, or escaping them. Either way if you do it before the action form gets them, then on prepopulation of form fields the user will see these alterations (not desirable). If you do it after you decide the form won't be returned then: a) It becomes difficult because you have just form bean method calls to get the parameters something like filter(getMyString()) becomes a pain and open to missing out the filtering with potentially disastorous consequences! b) If you decided to somehow globally alter a session scoped form then again you have prepopulation alterations. I have seen that RequestProcessor may offer hope, I'd like to know the order that these RP methods are called. I realise that I could use BeanUtils and make a DynaBean copy of a form bean, filtering the parameters during the copy. Just seems overkill, and yet another object in the request. Any pointers? How do you filter your sql sensitive characters? -- Mike W - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Global request parameter filtering
Say for instance you want to filter for all the ' " \ characters in request parameters either removing them, or escaping them. Either way if you do it before the action form gets them, then on prepopulation of form fields the user will see these alterations (not desirable). If you do it after you decide the form won't be returned then: a) It becomes difficult because you have just form bean method calls to get the parameters something like filter(getMyString()) becomes a pain and open to missing out the filtering with potentially disastorous consequences! b) If you decided to somehow globally alter a session scoped form then again you have prepopulation alterations. I have seen that RequestProcessor may offer hope, I'd like to know the order that these RP methods are called. I realise that I could use BeanUtils and make a DynaBean copy of a form bean, filtering the parameters during the copy. Just seems overkill, and yet another object in the request. Any pointers? How do you filter your sql sensitive characters? -- Mike W - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]