struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhang, Larry \(L.\)" <>
Subject RE: Struts security/validation
Date Wed, 11 Aug 2004 17:56:33 GMT
Oracle sql insert needs to escape apostrophes so that you can insert apostrophes. So in your
case you may need a utility method to convert all your text containing apostrophes to some
thing like ''.

Example: If your user enters "I like he's idea", when inserting to data base you need to convert
it to be "l like he''s idea".

Hope this helps.

-----Original Message-----
From: Wiebe de Jong []
Sent: Wednesday, August 11, 2004 1:32 PM
To: 'Struts Users Mailing List'
Subject: RE: Struts security/validation

I had a similar problem, which I discovered when one of my users tried to
enter a street address containing an apostrophe. Since I use apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered into any of the
test fields.

I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?

For SQL destined test, I disallow \ and '.
For XML destined text, I disallow <, >, &, \, and ".

Wiebe de Jong

-----Original Message-----
From: Craig McClanahan [] 
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation

On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <> wrote:
> Hello all,
> I'm in the process of trying to secure my struts application against
"Cross site scripting", "SQL injection" style attacks.
> One of the things I'm doing to prevent this is trying to restrict special
characters (;.<>(){}...etc) getting beyond the validator.

Just thinking out loud for a moment ...

Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field.  The problem comes if you *output* the
data without filtering for them.  That's why the Struts <bean:write>
tag, for example, filters "<", ">", "&", and ";" for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.

I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment.  Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).

Is filtering input really the appropriate strategy for dealing with
this problem?  If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message