tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Singleton <p...@jbgb.com>
Subject Re: security question for this group
Date Sun, 06 Nov 2005 18:04:10 GMT
Prabhat Kumar (IT) wrote:
> I am trying to figure out how to prevent a situation where a user has a runaway page
that is a super user page (and unauthorized). The page has a text area that takes an SQL query
and executes this on the applications database.
> 
> My question is, how can such unauthorized tasks be prevented in general?

The only Java Server Pages available to the user are
those which you deploy, so don't create such a page in
the first place :-)

If you need to evaluate SQL queries, set them up in
advance as PreparedStatements, then just solicit
parameter values from the user; if you construct SQL
queries from text supplied by the user, they may be
able to "inject" commands to do things you don't want
them to be able to do

RTFM for various techniques for authorizing users

Paul Singleton


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.362 / Virus Database: 267.12.8/162 - Release Date: 5/Nov/2005


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message