图像

SQL Injection,CSS attacks, Script attacks in Java or J2ee web applications

To Prevent SQL Injection,CSS attacks, Script attackes in Java J2ee based web applicataions we had to add filter which
will inspect each and every field that is submitted to the application.
But be careful as some times this filter may change the values of some inputs.
Eg: In our test app when we added this filter all quotes like say for name was replacye by html equivalent.
The reason is there can be some fields like name say Ram’S (with an apostrophe).The apsotrophe here would be replaced
with its html Equivalent.So one way is not allow user to enter (by haveing validation in UI) or
if you still need to allow then exclude that field from filter. Continue reading

图像

请求参数自动填充Java对象 by Common BeanUtils

一般的java mvc框架都会有自动填充域模型属性的功能,实际上我们填充的是每一个域模型新建对象的属性值。
这个其实用的是java bean技术,什么是java bean自己去研究。

我们可以自己写个自动填充java bean属性的类,只是各个方面不一定考虑的全面,所以我们这里用拿来主义,
站在巨人的肩膀上解决问题,不需要从零开始自己写框架,我们使用Apache Jakarta Commons utility
工具包。
Continue reading

相册

转义HTML中的特殊字符

今天跨站点脚本如此流行,其中一个原因就是我们的程序员的防御不够完善甚至没有防御,在表单提交的程序中,
我们有必要过滤某些特殊字符,防止诸如sql注入,

<script></script>

恶意攻击等方式,在java中替换字符串中的字符
如< ,>,”,&…等是比较简单的,在这之前我们应该注意一点,java的字符串是不可变的,至于为什么,读读jdk
源码就知道了,有几个方面的原因,其实我们的
Continue reading