Re: filtering unwanted characters

["Craig R. McClanahan" <cr...@apache.org>]

On Fri, 11 May 2001, Ian Kallen <ia...@covalent.net> wrote:

> 
> Apache 2.0 supports input filters, how about writing one that cleans the
> data input before mod_jk/mod_webapp can hand it off to Tomcat?
> 

In a Servlet 2.3 environment (such as Tomcat 4.0), you can use the new
Filter APIs to accomplish the same thing.

However, either of these approaches means you have to parse out the
request parameters and put them back together again for the
"real" servlet.  That sounds like a lot more work than should be needed.

> On Fri, 11 May 2001, Nanduri, Amarnath wrote: > I am looking for some
> open source code that deals with filtering > technology. Basically i
> want to filter any unwanted characters from the user > input data. The
> user might try to pass in some SQL quesries or try to run > some shell
> scripts or put special characters which might be rejected by a >
> database (or even corrupt it). If no such open source code is
> available then > i want to write something like that. I was wondering
> if anyone has done some
> 

Have you considered putting stuff like this in the validate() method of
your form bean?  You could probably write a common utility method that
scanned a String for unwanted characters, returning "true" if there was a
problem.  Then, your validate() method would pass all the input strings in
the form through this method to look for problems.

The other thing that really really helps when doing database stuff is to
use JDBC PreparedStatement objects.  That way, even if your users try to
pass in wierd command delimiters and stuff, it ends up inside an SQL
string that is properly quoted by the driver itself, rather than modifying
the SQL command you are trying to run.

> cheers,
> -Ian
> 
> --
> Ian Kallen <ia...@covalent.net> | AIM: iankallen
> 
> 

Craig

Re: filtering unwanted characters

[Jonathan Asbell <ja...@i-2000.com>]

See the character filter I donated last week

----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: <st...@jakarta.apache.org>
Sent: Friday, June 01, 2001 9:31 PM
Subject: Re: filtering unwanted characters


>
>
> On Fri, 11 May 2001, Ian Kallen <ia...@covalent.net> wrote:
>
> >
> > Apache 2.0 supports input filters, how about writing one that cleans the
> > data input before mod_jk/mod_webapp can hand it off to Tomcat?
> >
>
> In a Servlet 2.3 environment (such as Tomcat 4.0), you can use the new
> Filter APIs to accomplish the same thing.
>
> However, either of these approaches means you have to parse out the
> request parameters and put them back together again for the
> "real" servlet.  That sounds like a lot more work than should be needed.
>
> > On Fri, 11 May 2001, Nanduri, Amarnath wrote: > I am looking for some
> > open source code that deals with filtering > technology. Basically i
> > want to filter any unwanted characters from the user > input data. The
> > user might try to pass in some SQL quesries or try to run > some shell
> > scripts or put special characters which might be rejected by a >
> > database (or even corrupt it). If no such open source code is
> > available then > i want to write something like that. I was wondering
> > if anyone has done some
> >
>
> Have you considered putting stuff like this in the validate() method of
> your form bean?  You could probably write a common utility method that
> scanned a String for unwanted characters, returning "true" if there was a
> problem.  Then, your validate() method would pass all the input strings in
> the form through this method to look for problems.
>
> The other thing that really really helps when doing database stuff is to
> use JDBC PreparedStatement objects.  That way, even if your users try to
> pass in wierd command delimiters and stuff, it ends up inside an SQL
> string that is properly quoted by the driver itself, rather than modifying
> the SQL command you are trying to run.
>
> > cheers,
> > -Ian
> >
> > --
> > Ian Kallen <ia...@covalent.net> | AIM: iankallen
> >
> >
>
> Craig
>
>