ansaurus

Question

Browser removing + from request parameter

Answer 1

+3 A:

Do not EVER do this. This is the direct way for the SQL injection (for example any user can insert the DELETE request to the get string and crash your server)

Juriy 2010-05-10 14:02:01

Yeah I know...can't really do anything about it. Web application is an intranet so thats a relief.

Marquinio 2010-05-10 14:11:00

I hate to be one of those infosec astronaut types, but the reality is most attacks on an application are internal. Although my employer is wonderful (ahem) and would never cause disgruntlement (cough cough) in its employees, your mileage may vary.

Paul 2010-05-11 16:58:26

Answer 2

+3 A:

You can use java.net.URLEncoder for this.

param = URLEncoder.encode(param, "UTF-8");

That said, the whole idea is leaky and very prone to attacks. One could easily reveal the URL and manually send a DELETE FROM p to it. Rather send commands as parameters, not complete SQL queries. Keep and hide the SQL queries in the server side.

BalusC 2010-05-10 14:02:40

Hey that's a good idea. I'll try encoding the +. Thanks.

Marquinio 2010-05-10 14:12:49

No, not only the `+`. The **whole** parameter value.

BalusC 2010-05-10 14:16:36

ansaurus

tags:

views:

answers:

Browser removing + from request parameter

related questions