views:

15

answers:

1

I am not good at jsp but I wondered what can cause such a problem when every other strings are displayed well:

a JSP file queries information of people by their name at Contact (MS Exchange). the query returns the full info of the person; and the first, last names are printed. Last names with apostrophes (Ex: O'reilly) aren't displayed at all.

what can be possible solutions?

Thanks in advance

P.S. I know the way of asking is not suitable but, I need information from people who had such a problem before.

A: 

You need to execute the SQL query by PreparedStatement instead of Statement, else your SQL query would break (and be prone to SQL injections as well).

Imagine the following query:

SELECT foo FROM tbl WHERE name = 'O'Reilly'

That would yield a SQL syntax error. You should have seen this if you checked the server logs. You should have seen this on screen when you used a servlet instead of JSP to do the task. With PreparedStatement the query would be sanitized as follows:

SELECT foo FROM tbl WHERE name = 'O\'Reilly'

This way SQL do understand this query and can execute it without problems.

On the other hand, you need to HTML-escape the results as well, otherwise it will be prone to XSS attacks.

Imagine the following display:

<input type='text' value='${name}'>

if the ${name} is O'Reilly, then the HTML would effectively end up as

<input type='text' value='O'Reilly'>

and you would only see the O. What would happen if the name is '><script>alert('xss')</script><input type='text' value='? To fix this, use JSTL fn:escapeXml to display input:

<input type='text' value='${fn:escapeXml(name)}'>

(it's by the way more recommended to use doublequotes instead of singlequotes, the above is just an example)

That said, you should technically also not be doing this inside a JSP file. Raw Java code belongs in a Java class, not a JSP file. JSP is a view technology, use it for the view part only.

BalusC