This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:JSP JSTL"
From OWASP
(New page: A few things need clarification: *cookie - anything juicy? I can't remember what my problem was with this implicit object. *<c:redirect> - splitting? *<sql:query>, <sql:update> - injectio...) |
|||
| Line 2: | Line 2: | ||
*cookie - anything juicy? I can't remember what my problem was with this implicit object. | *cookie - anything juicy? I can't remember what my problem was with this implicit object. | ||
*<c:redirect> - splitting? | *<c:redirect> - splitting? | ||
| − | *<sql:query>, <sql:update> - | + | *<sql:query>, <sql:update> - I hear these use prepared statements. Can anyone think of ways of misuse still?<br> |
| − | *<sql: | + | |
| + | here's what i cut:<br> | ||
| + | |||
| + | '''<sql:query>'''<br> | ||
| + | * This tag can execute its body as a sql statement. | ||
| + | * It can also execute it’s sql attribute as a query. | ||
| + | * Have not been able to prove sql injection, either way, it seems this tight coupling is bad practice unless we're talking about a small app... thoughts? | ||
| + | <pre> | ||
| + | <sql:query var="test3" sql="SELECT * FROM mytable WHERE name='${taint}'"/> | ||
| + | </pre> | ||
| + | <pre> | ||
| + | <sql:query var="deejays"> | ||
| + | SELECT * FROM mytable WHERE name='<%=request.getParameter("taintme")%>' | ||
| + | </sql:query> | ||
| + | </pre> | ||
| + | '''<sql:update>'''<br> | ||
| + | <pre> | ||
| + | <sql:update var="updateCount" sql="INSERT INTO mytable VALUES (3,'${taint}')"/> | ||
| + | </pre> | ||
| + | <pre> | ||
| + | <sql:update var="updateCount"> | ||
| + | INSERT INTO mytable VALUES (2,'<%=request.getParameter("taintme")%>') | ||
| + | </sql:update> | ||
| + | </pre> | ||
Revision as of 20:36, 18 March 2008
A few things need clarification:
- cookie - anything juicy? I can't remember what my problem was with this implicit object.
- <c:redirect> - splitting?
- <sql:query>, <sql:update> - I hear these use prepared statements. Can anyone think of ways of misuse still?
here's what i cut:
<sql:query>
- This tag can execute its body as a sql statement.
- It can also execute it’s sql attribute as a query.
- Have not been able to prove sql injection, either way, it seems this tight coupling is bad practice unless we're talking about a small app... thoughts?
<sql:query var="test3" sql="SELECT * FROM mytable WHERE name='${taint}'"/>
<sql:query var="deejays">
SELECT * FROM mytable WHERE name='<%=request.getParameter("taintme")%>'
</sql:query>
<sql:update>
<sql:update var="updateCount" sql="INSERT INTO mytable VALUES (3,'${taint}')"/>
<sql:update var="updateCount">
INSERT INTO mytable VALUES (2,'<%=request.getParameter("taintme")%>')
</sql:update>
