[Opensource] are ActionForms under expresso filtered for SQL injection (and other security issues)?

Mike Traum mtraum at cirnetwork.org
Tue Jan 28 14:40:14 PST 2003 

I've been assuming that when using ActionForms under expresso, input is
still filtered with the security filters the same way expresso inputs are.

I'm hoping this is correct - please? Evil assumptions - bad mike, bad
mike....

mike

-----Original Message-----
From: Michael Rimov [mailto:rimovm at centercomp.com]
Sent: Tuesday, January 28, 2003 1:52 PM
To: opensource at jcorporate.com
Subject: RE: [Opensource] OR mapping best practices?


At 10:18 AM 1/26/2003 -0500, you wrote:
>Gang:
>
>[Mike Traum said...]
> > If you
> > use getField() and setField(), you are essentially accessing the column 
> name
> > directly which gives you no independence from the table schema.
>
>I've been using a technique I learned from the Expresso Job code.  For
>example getField(Employee.FLD_NAME).  It's a bit more code but less
>typing because Eclipse does the completion for me ;) Perhaps this
>should be an Expresso "best practice."

Yes, I agree.  We'll get it documented for 5.1.


> > What I've been doing lately is exposing the DBObject fields with 
> getters and
> > setters.
>
>I've been writing getters but for a different reason.  I've been using
>JSTL and I like it a lot; reminds me of Velocity.  For me, it is the
>shortest path from a query/DBObject to JSP output.  I see that 5.0.3
>includes the JSTL jars and tld's, so someone else is using it also.

Yes, I'm the one using JSTL in my own projects.  However, I'm ONLY using it 
to access ControllerResponse objects. [5.0.3 exposes the underlying maps 
that ControllerResponse uses to make it JSTL compatible].

I'm a bit nervious about putting DBObjects directly as form objects simply 
because DBObjects don't validate their input that well, and I smell SQL 
Injection attacks through this. [Just a gut reaction here...]

Mike T.  Your practice makes sense, although you'll notice that DBObjects 
are similar to Dynabeans which are fast becoming the latest opensource 
'fad'...  So ... But there is absolutely nothing wrong with what you're 
doing.  In fact, I tend to prefer that method myself. :)

                                                 -Mike


_______________________________________________
Opensource mailing list
Opensource at jcorporate.com
http://mail.jcorporate.com/mailman/listinfo/opensource
Archives: http://mail.jcorporate.com/pipermail/opensource/

More information about the Opensource mailing list