Discussions

Web tier: servlets, JSP, Web frameworks: server side validation

  1. server side validation (3 messages)

    Hi all,

    Back in the scripting language, we are very cautious with what user puts in. We have to validate the max length of the input so it won't cause buffer overflow. We have to remove suspicous characters to prevent system attacks.

    Now in java web app, do we still need to do that?
    What is the validation required specific for java web app to prevent this kind of attacks?

    Thanks,

    R. Lie

    Threaded Messages (3)

  2. server side validation[ Go to top ]

    Yes, you should still do that. Just because you're using Java does not mean that the "normal attacks" are carried out by malicious HTML/JavaScript/VBScript "code." On the other hand, it does make it difficult to insert CGI code into the server, unless your server happens to support CGI...
  3. server side validation[ Go to top ]

    I would say use as much JavaScript as you can to perform client side validation (format, length etc.), and only use server side validation if there is no way you can perform a client side validation. It saves you the network round trip, and also minimize your server side code.
  4. server side validation[ Go to top ]

    A good persistence framework can really limit the kinds of cgi-style attacks you need to worry about. The classic CGI attack was to enter extraneous SQL code in the hopes of break database updates. Modern persistence frameworks like EJB, JDO or Hibernate automatically escape special characters in generated SQL calls, make this kind of attack very difficult.