You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Curley, Thomas" <th...@euroconex.com> on 2003/12/12 10:48:01 UTC
SQL Injection and Tomcat
Hi,
I have an app using MySql and TC4 on linux o JSP app
Does Tomcat have any inbuild features to filter out certain characters like ', ;, etc from request URI's. Would a filters or values impl help with this or is it necessary to parse all input (may affect performance)
any experience
thanks
Thomas
*********************************************************************************************
This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify emailadmin@euroconex.com and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses.
*********************************************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SQL Injection and Tomcat
Posted by Andrey Rogov <An...@ukrpost.net>.
Hi,
U can configure the Valve param in your server.xml file
<Context path="" docBase="Root" debug="0">
<Valve className="path.to.your.app.BadInputFilterValve"
deny="\x00,\x04,\x08,\xoa,\x0d"/>
</Context>
U Can Also buy wonderfull book TOMCAT The definitive Guide
by Ian E.Darwin & Jason Brittain
CT> Hi,
CT> I have an app using MySql and TC4 on linux o JSP app
CT> Does Tomcat have any inbuild features to filter out certain characters like ', ;, etc from request URI's. Would a filters or values impl help with this or is it necessary to parse all input (may
CT> affect performance)
CT> any experience
CT> thanks
CT> Thomas
CT> *********************************************************************************************
CT> This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify emailadmin@euroconex.com and delete it
CT> from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of
CT> confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the
CT> Company. This message has been scanned for known computer viruses.
CT> *********************************************************************************************
CT> ---------------------------------------------------------------------
CT> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
CT> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
--
Best regards,
Andrey mailto:Andrey.Rogov@ukrpost.net
Re: Re[2]: SQL Injection and Tomcat
Posted by Graham Reeds <gr...@omnieng.co.uk>.
Looking around for a book that covers TC 3.x I found Wrox Press'
"Professional Apache Tomcat" which covers 3.x, 4.0.x, and 4.1.x. Anyone
have any comments on this book (besides the glowing review at Amazon.co.uk?)
> TC4
>
> >> U Can Also buy wonderfull book TOMCAT The definitive Guide
> >> by Ian E.Darwin & Jason Brittain
>
> GR> Which version(s) of Tomcat does it cover? Amazon synopsis doesn't say
which
> GR> version. I'm currently locked into TC3.2.3 so a book that covers 4.x
might
> GR> not be a wise purchase.
>
> GR> G.
>
>
> GR> ---------------------------------------------------------------------
> GR> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> GR> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
> --
> Best regards,
> Andrey mailto:Andrey.Rogov@ukrpost.net
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re[2]: SQL Injection and Tomcat
Posted by Andrey Rogov <An...@ukrpost.net>.
TC4
>> U Can Also buy wonderfull book TOMCAT The definitive Guide
>> by Ian E.Darwin & Jason Brittain
GR> Which version(s) of Tomcat does it cover? Amazon synopsis doesn't say which
GR> version. I'm currently locked into TC3.2.3 so a book that covers 4.x might
GR> not be a wise purchase.
GR> G.
GR> ---------------------------------------------------------------------
GR> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
GR> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
--
Best regards,
Andrey mailto:Andrey.Rogov@ukrpost.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SQL Injection and Tomcat
Posted by Graham Reeds <gr...@omnieng.co.uk>.
> U Can Also buy wonderfull book TOMCAT The definitive Guide
> by Ian E.Darwin & Jason Brittain
Which version(s) of Tomcat does it cover? Amazon synopsis doesn't say which
version. I'm currently locked into TC3.2.3 so a book that covers 4.x might
not be a wise purchase.
G.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SQL Injection and Tomcat
Posted by Andrey Rogov <An...@ukrpost.net>.
Hi,
U can configure the Valve param in your server.xml file
<Context path="" docBase="Root" debug="0">
<Valve className="path.to.your.app.BadInputFilterValve"
deny="\x00,\x04,\x08,\xoa,\x0d"/>
</Context>
U Can Also buy wonderfull book TOMCAT The definitive Guide
by Ian E.Darwin & Jason Brittain
CT> Hi,
CT> I have an app using MySql and TC4 on linux o JSP app
CT> Does Tomcat have any inbuild features to filter out certain characters like ', ;, etc from request URI's. Would a filters or values impl help with this or is it necessary to parse all input (may
CT> affect performance)
CT> any experience
CT> thanks
CT> Thomas
CT> *********************************************************************************************
CT> This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify emailadmin@euroconex.com and delete it
CT> from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of
CT> confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the
CT> Company. This message has been scanned for known computer viruses.
CT> *********************************************************************************************
CT> ---------------------------------------------------------------------
CT> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
CT> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
--
Best regards,
Andrey mailto:Andrey.Rogov@ukrpost.net
Need help to study thread dump
Posted by Vikas <vi...@yahoo.co.in>.
Hi,
My app is running on bes 5.1
App sometime stops responsding and i have to restart my server. Below is some portion of thread dump which i got for the app
"VBJ ThreadPool Worker" daemon prio=5 tid=0x14f1148 nid=0xad70 waiting for monitor entry [e767d000..e767fc24]
at com.vks.group.pkg.util.DBConnectionPool.getConnection(DBConnectionPool.java:166)
- waiting to lock <efdc0158> (a com.vks.group.pkg.util.DBConnectionPool)
at com.vks.group.pkg.util.DBConnectionPool.isDBPoolOK(DBConnectionPool.java:349)
at com.vks.group.pkg.util.DBConnectionPoolManager.isDBPoolOK(DBConnectionPoolManager.java:219)
at com.vks.group.pkg.util.DBUtil.isDBPoolOK(DBUtil.java:681)
at com.vks.group.pkg.util.DBUtil.isDBPoolOK(DBUtil.java:677)
at MyServResponse.processRequest(MyServResponse.java:39)
>From the dump all i could make out is there lock wait on one object to get database connection. Is it problem with the java code or like problem with the database unavailabilty.
We dont get this problem quiet frequently , this come only once in a month , ie we need to start our server once every month. Has anybody come across such problem in past , pls help me how to go about solving it.
******
Viks
******
Yahoo! India Matrimony: Find your partner online.Post your profile.
Re: SQL Injection and Tomcat
Posted by Tim Funk <fu...@joedog.org>.
Not really. But as long as you use *only* bind variables in JDBC, you should
be immune to sql injection.
-Tim
Curley, Thomas wrote:
> Hi,
>
> I have an app using MySql and TC4 on linux o JSP app
>
> Does Tomcat have any inbuild features to filter out certain characters like ', ;, etc from request URI's. Would a filters or values impl help with this or is it necessary to parse all input (may affect performance)
>
> any experience
>
> thanks
>
> Thomas
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org