Java Reference
In-Depth Information
◾
All other characters are unsafe and are irst converted into one or more bytes using some
encoding scheme. hen each byte is represented by the three-character string “%xy”, where
xy
is the two-digit hexadecimal representation of the byte. he recommended encoding
scheme to use is UTF-8. However, for compatibility reasons, if an encoding is not speciied,
then the default encoding of the platform is used.
he URLDecoder class from the java.net package is a utility class for HTML form decod-
◾
ing. Likewise, this class also contains two static
decode()
methods for decoding a string
from the application/x-www-form-urlencoded MIME format.
he conversion process is the reverse of that used by the URLEncoder class. It must be noted
◾
that all characters in the encoded string are assumed to be of the following:
a
through
z
,
A
through
Z
, 0 through 9, and “-”, “_”, “.”, and “*”. he character “%” is allowed but is inter-
preted as the start of a special escaped sequence.
Again, the following rules are applied in the conversion:
◾
he alphanumeric characters
a
through
z
,
A
through
Z
, and 0 through 9 remain the same.
he special characters “.”, “-”, “*”, and “_” remain the same.
◾
◾
A sequence of the form “%xy” will be treated as representing a byte where
he plus sign “+” is converted into a space character “ ” .
◾
xy
is the two-
digit hexadecimal representation of the 8 bits. hen, all substrings that contain one or more
of these byte sequences consecutively will be replaced by the character(s) whose encoding
would result in those consecutive bytes. he encoding scheme used to decode these charac-
ters may be speciied or, if unspeciied, the default encoding of the platform will be used.
10.3 Secure Database Queries
10.3.1 Need for Secure Database Access
Databases are the storehouses of critical information assets. Web applications, more often than
not, employ databases for the storage of application data. Databases are storage repertories for a
variety of information elements. hese include user information, transaction information, master
information (in the case of accounting and inventory masters), and a smorgasbord of diferent
types of information queried by the application during the CRUD operations of the Web applica-
tion—create, read, update, and delete.
Attackers have been successful at exploiting the way applications query the databases for infor-
mation. Attackers are able to identify vulnerable implementations where the application's SQL
queries are vulnerable to injection attacks and consequently are able to get access to the contents
of the database. his attack is popularly known as an SQL injection attack.
SQL injection is an attack where an attacker inserts certain crafted SQL queries into the
application that allow the attacker to gain access to the information contained in the database. In
certain cases, SQL injection also successfully allows the attacker to gain access to certain restricted
areas of the application. Attackers can also delete or insert information into database tables, thereby
gaining access to key data elements and, in some cases, gain control over the entire database itself.
SQL injection attacks happen because of the following reasons:
◾
Dynamic use of data to construct SQL query
Search WWH ::
Custom Search