I have a JTextField in a GUI Java App. It's not connected to a Database so I'm not worried about SQL injection or anything like that, but I wonder if I need to worry about a stack overflow or another problem.
For example if the user decides to hold his finger on "A" ad nauseum. My Java reference book offered no procedures to prevent misuse of the application like this.
Each key-press produces a KeyEvent, which (over some steps) is translated to a call to insert the text in the Document of your JTextField. If the user inputs really really much text (many megabytes) (then more probably by cut'n'paste), you could get an OutOfMemory error, but this is still nothing that damages you, only the user, since he can't work with the application.
So, nothing really Security-relevant here.
You should be fine with the text field from a security standpoint. I would suggest worrying more about what the code does with the text or in response to the text. SQL injection being one of the most common concerns.
Related
The webpage I'm working on with JSP and a Java Servlet needs to enable the user to write comments and articles which contain text but also Code of various languages (including html and javascript).
The data is stored in a mysql database and displayed later on the page.
For input, I thought to use one of the many WYSIWYG Editors out there.
Those usually produce (x)Html code for the database.
This means I need a type of sanitizing on serverside before inserting into the database since the editor could be easily circumvented and malicious code displayed onto the site (the database itself is secured by prepared statements).
What would be the best and most simple way to approach this topic?
And would it make more sense to switch to BBCode Input instead of html?
I've found several threads here around, but most don't take into account that code actually needs to be displayed on the site and most threads are several years old already.
Huge thanks in advance!
You can use KefirBB to use BBCodes or for HTML filtration.
https://github.com/kefirfromperm/kefirbb
If I want to save a response to a query on a website I'm coding to a server, how would I do that?
Here's an example. If I had a site with a "Rate us" form, and a person answered with a "AWFUL SITE!" how would I be able to save & retrieve that information?
There are several ways to do what you want to do. I'll describe two of them.
You could append each rating to the end of a file on the web server. This would be done in a server-side scripting language usually, such as PHP or ASP.NET, and you would probably want to set the permissions on the file so that it's not readable to everyone.
You could set up a table in a database (MySQL or otherwise) and add a new row for each rating given. Again, this would be done in something like PHP or ASP.NET and you would want to make sure you take precautions against SQL injection attacks (not much of a problem if you use PHP Data Objects rather than the deprecated mysql_* functions).
I would personally go for the second option as it's easier to manage and change, and it's easier to set it up so that you can store IP, name, optional email and message in every row. And like I said, you can add a new field later down the line without running into the obvious problems.
I have a form in Swing with a lot of textfields receiving data. The idea is when a button is clicked, the app gathers all the data from the textfields at once. Do you know a good practice for this? Or is it necessary to gather the data textfield by textfield?
If you are looking for a framework, try BeansBinding from JDesktop. It is quite well integrated with Netbeans IDE's Matisse GUI builder, and should be sufficient for most needs in a simple program.
If you are using Netbeans, here's a good primer to help you get started.
However, as BeansBinding works by abstracting all the complexity away, what you lose is more granular control. If you are developing a highly complex application that requires more control and tweaks, then I would suggest that roll up your sleeves and prepare to get your hands dirty. Register a class as a listener for each of the editable fields on the form, and save the data to a bean class that stores each of the necessary values.
You will have to read text from each text field/area one at a time.
In order to make your life easier - you'd want to put all the fields you want to read inside a List or a Vector when they get created; in this way, you will be able to read them in a simple for loop. If you need to know which field is which, use a HashMap and name each JTextField with a unique name to serve as key for the HashMap. Conversely, you can use .setName("SomeName") and use a List/Vector and use getName() to see what field it is.
As far as good practices go, unless you have many-many-many fields in your form, you don't need to worry because it won't take too long to do and you can put all the reading code in your listener method. However, if we're talking about many dozens or even hundreds of text fields, you'd want to start a new Thread to do that for you and disable the button so that the user knows something is going and can't press the same button again until the reading is done.
I'm developing a web application, and facing some security problems.
In my app users can send messages and see other's (a bulletin board like app). I'm validating all the form fields that users can send to my app.
There are some very easy fields, like "nick name", that can be 6-10 alpabetical characters, or message sending time, which is sended to the users as a string, and then (when users ask for messages, that are "younger" or "older" than a date) I parse this with SimpleDateFormat (I'm developing in java, but my question is not related to only java).
The big problem is the message field. I can't restrict it to only alphabetical characters (upper or lowercase), because I have to deal with some often use characters like ",',/,{,} etc... (users would not be satisfied if the system didn't allow them to use these stuff)
According to this http://ha.ckers.org/xss.html, there are a lot of ways people can "hack" my site. But I'm wondering, is there any way I can do to prevent that? Not all, because there is no 100% protection, but I'd like a solution that can protect my site.
I'm using servlets on the server side, and jQuery, on the client side. My app is "full" AJAX, so users open 1 JSP, then all the data is downloaded and rendered by jQuery using JSON. (yeah, I know it's not "users-without-javascript" friendly, but it's 2010, right? :-) )
I know front end validation is not enough. I'd like to use 3 layer validation:
- 1. front end, javascript validate the data, then send to the server
- 2. server side, the same validation, if there is anything, that shouldn't be there (because of client side javascript), I BAN the user
- 3. if there is anything that I wasn't able to catch earlier, the rendering process handle and render appropriately
Is there any "out of the box" solution, especially for java? Or other solution that I can use?
To minimize XSS attacks important thing is to encode any field data before putting it back on the page. Like change > to > and so on. This would never allow any malicious code to execute when being added to the page.
I think you are doing lot of right things by white listing the data you expect for different fields. Beyond that for fields which can allow other characters which can be problematic encoding would fix the issue for you.
Further since you are using Ajax it gives you some protection as people cannot override values in URL parameters etc.
Look at the AntiSamy library. It allows you to define rulesets for your application, then run your user input through AntiSamy to clean it per your rules.
The easiest way is to do a simple replacement for the following
< with <
> with >
' with \'
That will solve most database vulnerability.
I'm wandering myself what component is the best for displaying fast search results in swing. I want to create something like this, make a text field where user can enter some text, during his entering I'll improve in back end fast search on database, and I want to show data bellow the text box, and he will be able to browse the results and on pres enter result will be displayed in table. So my question is is there any component which already have this logic for displaying?
Or is it's not, what is the best way to implement that.
This search will be something what ajax gives me on web, same logic same look and feel, if it's possible on desktop application.
Are you looking for something like an AutoComplete component for Java Swing?
SwingX has such a component. See here for the JavaDoc. It has a lot of utility methods to do various things, i.e. auto-completing a text box from the contents of a JList.
I strongly, strongly recommend that you take a look at Glazed Lists - this is one of the finer open source Java libraries out there, and it makes the bulk of what you are asking about super easy.
You will have to first attach a listener to the JTextFields Document to be notified whenever the user types in the field (or changes it).
From there, you can fire off any server-side code you need. The results of that can be used to update a listbox.
A few things to keep in mind:
The code to do the search against the backend must be in another thread
The code that updates the list box should update the list box's model
You will need to manage all your backend search results so that you only update the listbox with the most recent result (e.g. user types 'A', backenf searches for that. Meanwhile, user has typed 'C', kicking off a backend search for 'AC'. You need to ensure the results from the 'A' search dont' make it to the listbox if the 'AC' search results are available).
Use Hibernate Search.
The SwingHack (http://oreilly.com/catalog/9780596009076/) book has an example of this.
In the interest of killing two birds with one stone: have a separate indexing thread. This will:
Improve the speed of searches whenever they are executed.
Improve the responsiveness of the UI since indexing is happening in a separate thread.
Of course, exactly how you perform the indexing will vary widely depending on your particular application. Here is a good place to start researching: Search Indexing. And please, ignore the reference to Web 3.0 [sic].
It is possible of course. It is simple too. For drop down list of terms just use popup menu. This is simple. The background processing of entered text is simple too. Enjoy!