Fixing Cross-site Scripting in Java

Posted by on May 1, 2012 2 Comments

Use when the parameter is being echoed:

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<p>Welcome <c:out value="${user.name}" /></p>

Use while taking the user input:

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<input name="username" value="${fn:escapeXml(param.username)}">

Fixing SQL Injection in JSP and Oracle

Posted by on May 26, 2011 0 Comment

Note: This post is part of our series on “How to Fix SQL Injection Vulnerabilities“. The series contains examples on how to fix SQL Injection Vulnerabilities in various programming languages.

An SQL Injection attack is a code injection attack when input from an attacker reaches one of your databases without any filteration or validation. As a result, a malicious user can execute Read / Write / Delete / Update query in your database. In addition to this he can also run system level commands. The following example shows how JSP can be used to interact with an Oracle database to retrieve values based on user input. Using the following methods you can filter any malicious input from the user thereby preventing any possible SQL Injection.

 

Parameterized Query

<pre>
// Prepare a query containing a bind variable.
   String sql = "SELECT * FROM emp WHERE dept = ? ORDER BY empno";
   PreparedStatement stmt = conn.prepareStatement(sql);

// Bind the value into the prepared statement.
   stmt.setInt(1, new Integer(dept).intValue());

// Execute the completed statement.
   ResultSet rs  = stmt.executeQuery();