0

I am working with an application which is built using html, Javascript and jQuery for the front end and uses Java and Oracle for back end and database.

Currently it passes data back from front end to java with a URL parameter appended to the end like http://localhost/28182391238912398172&id=12345

It then uses an AJAX GET request to call on the servlet using the id from the URL to run a prepared statement to query the database using Java.

What I need to do is remove the appending of the parameter in the URL and pass it another way so it's not in the URL. Essentially I'm trying to prevent SQL Injection possibility but I'm not sure how to pass this value back and save it to the HTTPServletRequest so I can call it up from Java in the back end.

Would I have to do a another AJAX call but using POST to save it somehow?

Thank you for any thoughts on this!

SS113
  • 548
  • 1
  • 11
  • 21
  • Use a POST request, eg `$.post('/28182391238912398172', { id: 12345 })`. I don't see what this has to do with SQL injection though – Phil Sep 13 '18 at 02:08
  • Thanks Phil I'll give that a try. About the SQL injection somebody came potentially alter the request at the parameter and do one. – SS113 Sep 13 '18 at 02:12
  • 1
    Anybody can alter any parameter sent to your server over HTTP. Preventing SQL injections happens at the DB layer, preferably using prepared statements with parameter binding. You might also be interested in [CSRF protection](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). – Phil Sep 13 '18 at 02:13
  • So you're saying I can keep it as a URL parameter but if I'm using a prepared statement then a SQL injection isn't possible? Looking at the Java code now it's not one and it's just embedded SQL in the Java code itself. Also thanks for the CSRF link, I'll read up on that. – SS113 Sep 13 '18 at 02:20
  • The OWASP site has good articles on SQL injection too. I suggest you read them too – Phil Sep 13 '18 at 02:21

1 Answers1

1

About sql injection, you have to care about it on server side and try to write a safe code like this:

PreparedStatement stmt = connection.prepareStatement("SELECT * FROM table WHERE id=?");
stmt.setString(1, id);
ResultSet rs = stmt.executeQuery();
Danial Jalalnouri
  • 609
  • 1
  • 7
  • 18
  • Thanks, I'm planning on doing just that. I'm just worried about the URL paramter. If I do that, does it really matter how the id parameter is passed? (URL vs AJAX POST) – SS113 Sep 13 '18 at 03:33
  • 1
    Read https://stackoverflow.com/questions/46585/ but in both method you have to care about sql injection because, in both method attackers can change the value – Danial Jalalnouri Sep 13 '18 at 03:44