Java Reference
In-Depth Information
Extensively test applications that supply, propagate, or accept user input.
AneffectivetechniqueforpreventingtherelatedissueofSQLinjectionisparameteriz-
ation. Parameterization ensures that user-specified data is passed to an APIas a parameter
such that the data is never interpreted as executable content. Unfortunately, Java SE cur-
rently lacks an analogous interface for XPath queries. However, an XPath analog to SQL
parameterization can be emulated by using an interface such as
XQuery
that supports spe-
cifying a query statement in a separate file supplied at runtime.
Input File: login.xq
declare variable $userName as xs:string external;
declare variable $password as xs:string external;
//users/user[@userName=$userName and @password=$password]
This compliant solution uses a query specified in a text file by reading the file in the
required format and then inserting values for the user name and password in a
Map
. The
XQuery
library constructs the XML query from these inputs.
private boolean doLogin(String userName, String pwd)
throws ParserConfigurationException, SAXException,
IOException, XPathExpressionException {
DocumentBuilderFactory domFactory =
DocumentBuilderFactory.newInstance();
domFactory.setNamespaceAware(true);
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document doc = builder.parse("users.xml");
XQuery xquery =
new XQueryFactory().createXQuery(new File("login.xq"));
Map queryVars = new HashMap();
queryVars.put("userName", userName);
queryVars.put("password", pwd);
NodeList nodes =
xquery.execute(doc, null, queryVars).toNodes();
// Print first names to the console
for (int i = 0; i < nodes.getLength(); i++) {
Node node =
