struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Affonso <glis...@greywether.com>
Subject Re: Struts Validator to Prevent SQL Injection Attacks
Date Thu, 15 Nov 2007 19:13:32 GMT
Dave Newton wrote:
> --- Mike Duffy <mduffy_lists@yahoo.com> wrote:
>> Does anyone have a great solution for a validator
>> that will prevent users from entering malicious SQL
>> into form entry text fields?
> 
> I'm not sure that belongs in a validator; unless you
> never need to allow the use of a single quote. It is,
> hoever unlikely, conceivable that Little Bobby
> Tables[1] actually exists in the real world.
> 
> Personally I'd put escaping either in a separate
> interceptor or on the business logic/pre-business
> logic data scrubbing side of things.

Agreed.

If you're using Hibernate (or even raw JDBC with parameterized 
statements), you get scrubbing automagically...

http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc

Note that it *is* possible to go wrong with Hibernate (and even easier 
to go wrong with JDBC), so read up on how you can accidentally break 
automagic scrubbing support.

Like Dave said, this is probably not something you want to do in an 
Interceptor (or even in your Service layer).  You almost certainly want 
want this in your DAO layer and you probably want to rely on your 
underlying DAO tool to "do the right thing".

Just be sure to write unit tests (or in this case, integration tests) 
for the DAO methods to test the scrubbing.

If you're using Spring and its DAO support (you are, aren't you? :-) 
writing both the DAO (either Hibernate or JDBC) is *really* easy and it 
has integration testing support that makes unit-testing the DAO's 
*really* awesome.

Did I mention that I like Spring? :-)

- Gary

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message