You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Paul Singleton <pa...@jbgb.com> on 2005/11/06 19:04:10 UTC

Re: security question for this group

Prabhat Kumar (IT) wrote:
> I am trying to figure out how to prevent a situation where a user has a runaway page that is a super user page (and unauthorized). The page has a text area that takes an SQL query and executes this on the applications database.
> 
> My question is, how can such unauthorized tasks be prevented in general?

The only Java Server Pages available to the user are
those which you deploy, so don't create such a page in
the first place :-)

If you need to evaluate SQL queries, set them up in
advance as PreparedStatements, then just solicit
parameter values from the user; if you construct SQL
queries from text supplied by the user, they may be
able to "inject" commands to do things you don't want
them to be able to do

RTFM for various techniques for authorizing users

Paul Singleton


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.362 / Virus Database: 267.12.8/162 - Release Date: 5/Nov/2005


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org