tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Moller" <andymol...@gmail.com>
Subject Re: Tomcat 4.x (Major Problem)
Date Tue, 23 Jan 2007 04:20:40 GMT
On 1/22/07, Caldarale, Charles R <Chuck.Caldarale@unisys.com> wrote:
>
> > From: Andy Moller [mailto:andymoller@gmail.com]
> > Subject: Re: Tomcat 4.x (Major Problem)
>
> <snip>
>
> > String[] value1 = (request.getParameterValues("value_1") != null)
> >         ? request.getParameterValues("value_1")
> >         : new String[0];
>
> <snip>
>
> >         String singleVal1= value1[i];
>
> <snip>
>
> >                 query=
> >                     "insert into
> sample_table(id,val1,common_name,val2)"
> >                         + " values (sequence.nextVal,"
> >                         + singleVal1
> >                         + ",'"
> >                         + commonName
> >                         + "','"
> >                         + val2[j]
> >                         + "')";
>
> <snip>
>
> > However, the actual query printout (that cause an exception, and the
> > behavior I cannot justify)
> >     "insert into sample_table(id,val1,common_name,val2) values(
> > sequence.nextVal,nameB,'nameA','valueB1')"
>
> There's nothing in your code that checks the value_1 parameter set for
> being numeric or having other inappropriate values; consequently, you're
> at the mercy of the client to submit valid data.  No evidence here of
> anything but insufficiently robust programming.
>
> - Chuck



Andy: this is a premature judgment based on an isolated piece of code. Your
argument suggests that the client has control on the data that is being sent
while as it is not. The code assumes valid data and errors were trapped on
the database level when the statement is executed. The programming tip is
appreciated although it is out of context.



thanks,

Andy

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message