is it safe to get the java.sql.connection to jsp page form servlet

Question

I have created a servlet called dbConnect(return type Connection). In which i wrote the code to connect to the database. Now I am calling the dbConnect(<%Connection con=dbConnect.getConnection()%>) into the JSP file. Since JSP file will be in the client side is there any possibility that an hacker can hack the connection??

JSP file does certainly not run in the client side. JSP runs in server side and produces HTML. To see it yourself, open the JSP page in browser, rightclick and do *View Source*. But your concrete problem is much bigger: you're applying bad practices. Read this: http://stackoverflow.com/questions/3177733/how-to-avoid-java-code-in-jsp-files — BalusC, Mar 06 '12 at 13:33

score 4 · Answer 1 · answered Mar 05 '12 at 21:38

4

The larger question is whether or not this is a good thing to do.

My preference would be no scriptlet code in JSPs whatsoever. If you must write JSPs, I'd recommend using JSTL tags and a servlet to handle requests. Let a servlet sit between the JSP and the database and intercede on its behalf with the database. You can do authentication, input validation, binding, and routing in the servlet and let the JSP do what it was meant to do: display only.

If this JSP is intended for anything other than a single toy application, I'd recommend that you dig into model-2 web MVC using JSPs and servlets.

answered Mar 05 '12 at 21:38

duffymo

305,152
44
369
561

1999! That's *13 years ago!* Surely this is not a new idea. – duffymo Mar 05 '12 at 23:12
where do the JSP's (<% %>)tag gets executed? – Venkat Santosh Debbadi Mar 06 '12 at 09:27
They get compiled into a servlet that's executed on the server. – duffymo Mar 06 '12 at 10:41
@duffymo - yes not a new idea. When this topic comes up, I've always used that link, since it does such a good job of explaining model-2 servlets. – Don Branson Mar 06 '12 at 14:31
My comment was not addressed to you, Don. Your link is fine. It's intended for Venkat to emphasize that using model 2 MVC is not new. – duffymo Mar 06 '12 at 14:54

score 2 · Answer 2 · answered Mar 05 '12 at 21:34

2

JSP files aren't on the client side. A JSP is compiled into a servlet so anything you feel safe doing in a servlet is just as safe in a JSP page. That code snippet inside of <% %> is turned into plain old java code. Your HTML is turned into a string that's spit out from the servlet back to the client.

So yes, it's fine.

answered Mar 05 '12 at 21:34

Rick Mangi

3,761
1
14
17

Then where do the JSP files get executed?? – Venkat Santosh Debbadi Mar 06 '12 at 09:25
JSP files are compiled into servlets (when and where depends on the servlet container, i.e. tomacat, jetty, jboss) and are run just like any other servlet. The mapping of the compiled servlet is invisible to you as a developer but for all intents and purposes... it is a servlet. – Rick Mangi Mar 06 '12 at 15:00

is it safe to get the java.sql.connection to jsp page form servlet

2 Answers2