This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:JSP JSTL"

From OWASP

Jump to: navigation, search

Latest revision as of 20:52, 18 March 2008

A few things need clarification:

cookie - anything juicy? I can't remember what my problem was with this implicit object.
<c:redirect> - splitting?
<sql:query>, <sql:update> - I hear these use prepared statements. Can anyone think of ways of misuse still?

here's what i cut:

<sql:query>

This tag can execute its body as a sql statement.
It can also execute it’s sql attribute as a query.
Have not been able to prove sql injection, either way, it seems this tight coupling is bad practice unless we're talking about a small app... thoughts?

<sql:query var="test3" sql="SELECT * FROM mytable WHERE name='${taint}'"/>

  <sql:query var="deejays">
    SELECT * FROM mytable WHERE name='<%=request.getParameter("taintme")%>'
  </sql:query>

<sql:update>

<sql:update var="updateCount" sql="INSERT INTO mytable VALUES (3,'${taint}')"/>

  <sql:update var="updateCount">
    INSERT INTO mytable VALUES (2,'<%=request.getParameter("taintme")%>')
  </sql:update>

<sql:param >
Cleanser sort of? Works like prepared statements.

Parameterized SQL statements – replace each ‘?’ with a parameter.

  <sql:query var="deejay">
    SELECT * FROM mytable WHERE name= ?
    <sql:param value="<%=request.getParameter("taintme")%>"/>
  </sql:query>

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:JSP_JSTL&oldid=26788"