Re: best practice for handling single/double quotes, html characters, sql injection/poisoning
hi Craig!! yup, i am using prepared statements and it safely handles the single/double quotes beautifully. i guess i still have to filter out sql constructs/keywords/statements myself before passing the data to my prepared statement objects. do you mean that instead of doing this: i do this instead?: or woodchuck --- Craig McClanahan <[EMAIL PROTECTED]> wrote: > For embedded quotes, use JDBC prepared statements ... they take care > of any escaping that is necessary for you. > > For embedded HTML, use Struts tags like to render the > dynamic output to your page -- unless you tell them not to > (filter="false"), any sensitive characters in HTML will be > automatically escaped. In JSTL, the tag does the same thing > unless you turn it off (escapeXML="false"). And in JSF > ( filters unless you turn it off with escape="false"). > > Craig > > > On Wed, 25 Aug 2004 09:43:34 -0700 (PDT), Woodchuck > <[EMAIL PROTECTED]> wrote: > > hihi, > > > > does struts or jstl have a good way to handle data coming back from > the > > database that contains things like: > > - ' (single quote) > > - " (double quote) > > - <,> (html characters) > > > > and also to prevent agains sql injection/poisoning attacks? > > > > can someone shed light on best practice suggestions? > > > > please, and thanks in advance! > > woodchuck > > __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: best practice for handling single/double quotes, html characters, sql injection/poisoning
For embedded quotes, use JDBC prepared statements ... they take care of any escaping that is necessary for you. For embedded HTML, use Struts tags like to render the dynamic output to your page -- unless you tell them not to (filter="false"), any sensitive characters in HTML will be automatically escaped. In JSTL, the tag does the same thing unless you turn it off (escapeXML="false"). And in JSF ( filters unless you turn it off with escape="false"). Craig On Wed, 25 Aug 2004 09:43:34 -0700 (PDT), Woodchuck <[EMAIL PROTECTED]> wrote: > hihi, > > does struts or jstl have a good way to handle data coming back from the > database that contains things like: > - ' (single quote) > - " (double quote) > - <,> (html characters) > > and also to prevent agains sql injection/poisoning attacks? > > can someone shed light on best practice suggestions? > > please, and thanks in advance! > woodchuck > > __ > Do you Yahoo!? > Yahoo! Mail - 50x more storage than other providers! > http://promotions.yahoo.com/new_mail > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: best practice for handling single/double quotes, html characters, sql injection/poisoning
--- Jim Barrows <[EMAIL PROTECTED]> wrote: > > > > -Original Message- > > From: Woodchuck [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 25, 2004 9:44 AM > > To: struts > > Subject: best practice for handling single/double quotes, html > > characters, sql injection/poisoning > > > > > > hihi, > > > > does struts or jstl have a good way to handle data coming > > back from the > > database that contains things like: > > - ' (single quote) > > - " (double quote) > > - <,> (html characters) > > No darn. > > > > > and also to prevent agains sql injection/poisoning attacks? > > > > can someone shed light on best practice suggestions? > > My anti-injection techniques consist of: > 1) Use prepared statements whenever possible. It will handle most of > your concerns automagically. > 2) If you're really paranoid, use a filter to go through all > parameters on the way in looking for > select.*from.*[(table1)(table2)], insert.*[(table1)(table2)] and > other SQL syntax as well. [1] > 3) HTML, you'r looking for cross site scripting stuff, which, iirc is > covered with \ want to allow any html.[1] > > Then the filter flags to email any generic (ie select.*from) for > human eyeballs, and rejects on sql pattern that also includes table > names. Does the same for html, although I do more flagging then > rejecting. > > Looking for quotes and the like is fine, but there are so many > exceptions that it's easier to use jakarta-oro or jakarta-regex to > look for the things that are really a problem, and act on those. > > > [1]Don't trust my regexes I'm doing this off the top of my head. > thanks a lot, i like using regex to do format and even (literal) type validation.. regex makes doing these validations easier imo, and as you suggested for filtering purposes unfortunately my application is not database specific so i am using jdbc and passing in embedded simple sql query and update statements (and emulating the complicated routines that are often found in stored procedures like cursors, etc. in the java layer instead). so i guess i will write a function that all data being saved must pass through before actually saving to eliminate sql injection/poisoning. and another function to prevent my html pages from breaking for data coming out of the database (ie. for single/double quotes, html characters) the QA ppl here i'm sure will have fun trying to break my app. so how paranoid my filters get will depend what level of "user from hell" they are, hehe. thanks again! woodchuck __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: best practice for handling single/double quotes, html characters, sql injection/poisoning
> -Original Message- > From: Woodchuck [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 25, 2004 9:44 AM > To: struts > Subject: best practice for handling single/double quotes, html > characters, sql injection/poisoning > > > hihi, > > does struts or jstl have a good way to handle data coming > back from the > database that contains things like: > - ' (single quote) > - " (double quote) > - <,> (html characters) No > > and also to prevent agains sql injection/poisoning attacks? > > can someone shed light on best practice suggestions? My anti-injection techniques consist of: 1) Use prepared statements whenever possible. It will handle most of your concerns automagically. 2) If you're really paranoid, use a filter to go through all parameters on the way in looking for select.*from.*[(table1)(table2)], insert.*[(table1)(table2)] and other SQL syntax as well. [1] 3) HTML, you'r looking for cross site scripting stuff, which, iirc is covered with \
best practice for handling single/double quotes, html characters, sql injection/poisoning
hihi, does struts or jstl have a good way to handle data coming back from the database that contains things like: - ' (single quote) - " (double quote) - <,> (html characters) and also to prevent agains sql injection/poisoning attacks? can someone shed light on best practice suggestions? please, and thanks in advance! woodchuck __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]