[Opensource] are ActionForms under expresso filtered for
SQL injection (and other security issues)?
Michael Rimov
rimovm at centercomp.com
Wed Jan 29 16:19:31 PST 2003
At 04:40 PM 1/28/2003 -0600, you wrote:
>I've been assuming that when using ActionForms under expresso, input is
>still filtered with the security filters the same way expresso inputs are.
>
>I'm hoping this is correct - please? Evil assumptions - bad mike, bad
Correct... bad Mike bad Mike! :)
What we DO cover:
-Rudimentary Prevention of SQL injection in DBObjects by filtering special
characters such as single quotes, etc.
-XSS protection by filtering all DBObject.getField() calls. so you don't
accidentally write any javascript to a page that was stored in the database.
Where we still need filtering.... when range expressions are put in
DBObject.setField(), I do not believe you're really protected from SQL
Injection at that level. I'm working on a 'workaround' that better
enforces the syntax put in the fields.
Since DBObject is such a huge beast, it may have other areas I haven't
thought of... which is why I'm not that interested in it being a form bean.
Make sense??
-Mike
More information about the Opensource
mailing list