Difference between revisions of "Talk:JSP JSTL"

From OWASP
Jump to: navigation, search
(New page: A few things need clarification: *cookie - anything juicy? I can't remember what my problem was with this implicit object. *<c:redirect> - splitting? *<sql:query>, <sql:update> - injectio...)
 
Line 2: Line 2:
 
*cookie - anything juicy?  I can't remember what my problem was with this implicit object.
 
*cookie - anything juicy?  I can't remember what my problem was with this implicit object.
 
*<c:redirect> - splitting?
 
*<c:redirect> - splitting?
*<sql:query>, <sql:update> - injection?  I couldn't get this to work.   
+
*<sql:query>, <sql:update> - I hear these use prepared statements. Can anyone think of ways of misuse still?<br>  
*<sql:param> - if sql injection is possible then this would essentially work like prepared stmts right?
+
 
 +
here's what i cut:<br>
 +
 
 +
'''<sql:query>'''<br>
 +
* This tag can execute its body as a sql statement.
 +
* It can also execute it’s sql attribute as a query.
 +
* Have not been able to prove sql injection, either way, it seems this tight coupling is bad practice unless we're talking about a small app... thoughts?
 +
<pre>
 +
<sql:query var="test3" sql="SELECT * FROM mytable WHERE name='${taint}'"/>
 +
</pre>
 +
<pre>
 +
  <sql:query var="deejays">
 +
    SELECT * FROM mytable WHERE name='<%=request.getParameter("taintme")%>'
 +
  </sql:query>
 +
</pre>
 +
'''<sql:update>'''<br>
 +
<pre>
 +
<sql:update var="updateCount" sql="INSERT INTO mytable VALUES (3,'${taint}')"/>
 +
</pre>
 +
<pre>
 +
  <sql:update var="updateCount">
 +
    INSERT INTO mytable VALUES (2,'<%=request.getParameter("taintme")%>')
 +
  </sql:update>
 +
</pre>

Revision as of 15:36, 18 March 2008

A few things need clarification:

  • cookie - anything juicy? I can't remember what my problem was with this implicit object.
  • <c:redirect> - splitting?
  • <sql:query>, <sql:update> - I hear these use prepared statements. Can anyone think of ways of misuse still?

here's what i cut:

<sql:query>

  • This tag can execute its body as a sql statement.
  • It can also execute it’s sql attribute as a query.
  • Have not been able to prove sql injection, either way, it seems this tight coupling is bad practice unless we're talking about a small app... thoughts?
<sql:query var="test3" sql="SELECT * FROM mytable WHERE name='${taint}'"/>
  <sql:query var="deejays">
    SELECT * FROM mytable WHERE name='<%=request.getParameter("taintme")%>'
  </sql:query>

<sql:update>

<sql:update var="updateCount" sql="INSERT INTO mytable VALUES (3,'${taint}')"/>
  <sql:update var="updateCount">
    INSERT INTO mytable VALUES (2,'<%=request.getParameter("taintme")%>')
  </sql:update>