tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Tomcat 4.x (Major Problem)
Date Mon, 22 Jan 2007 22:24:24 GMT
> From: Andy Moller [mailto:andymoller@gmail.com] 
> Subject: Re: Tomcat 4.x (Major Problem)

<snip>

> String[] value1 = (request.getParameterValues("value_1") != null)
>         ? request.getParameterValues("value_1")
>         : new String[0];

<snip>

>         String singleVal1= value1[i];

<snip>

>                 query=
>                     "insert into
sample_table(id,val1,common_name,val2)"
>                         + " values (sequence.nextVal,"
>                         + singleVal1
>                         + ",'"
>                         + commonName
>                         + "','"
>                         + val2[j]
>                         + "')";

<snip>

> However, the actual query printout (that cause an exception, and the
> behavior I cannot justify)
>     "insert into sample_table(id,val1,common_name,val2) values(
> sequence.nextVal,nameB,'nameA','valueB1')"

There's nothing in your code that checks the value_1 parameter set for
being numeric or having other inappropriate values; consequently, you're
at the mercy of the client to submit valid data.  No evidence here of
anything but insufficiently robust programming.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message