tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rom...@zzict.nl
Subject RE: my jsp updates with null values: SECURITY ???
Date Thu, 21 Dec 2000 17:02:36 GMT


On Thu, 21 Dec 2000, Dave Newton wrote:

> I remember you~it looks better with the variables not in the quotes.
> 
> > <%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
> > <%!
> > //Declare your variables;
> > String DRIVER  = "org.gjt.mm.mysql.Driver";
> > String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
> > String QUERY   = "insert into info
> > values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"'
> > ,'"+city+"
> > ','"+state+"','"+zip+"','"+phone1+"')";
> > %>
> > <%
> > //some debug code to see what the values of these fields are... (not
> > working)
> > out.println(idnum);
> > out.println(fname);
> > out.println(lname);
> > out.println(addr1);
> > out.println(addr2);
> > out.println(city);
> > out.println(state);
> > out.println(phone1);
> > %>
> > 
> > <% //get information from another page, and, if there is no 
> > information, set
> > the values to NULL
> > 
> >  String idnum = request.getParameter("idnum");
> >  String fname = request.getParameter("fname");
> >  String lname = request.getParameter("lname");
> >  String addr1 = request.getParameter("addr1");
> >  String addr2 = request.getParameter("addr2");
> >  String city = request.getParameter("city");
> >  String state = request.getParameter("state");
> >  String zip = request.getParameter("zip");
> >  String phone1 = request.getParameter("phone1");
> > 
> > %>
> 
> Is there any particular reason you set the values of the variables
> after you try to use them?
> 
> I think you'd be better off asking these questions in a java group,
> as this is a pretty straightforward error.
> 
> Dave
> 
Have you ever wondered what will happen if someone entered
a request with idnum something like
'0,...,);DROP info CASCADE;

right.

This brings us to the tip of the day:

USE PREPARED STATEMENTS OR FEAR THE WRATH OF THE WEB-HACKER.

have fun,
Sloot.


Mime
View raw message