This week's book giveaway is in the JavaScript forum.
We're giving away four copies of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js and have Paul Jensen on-line!
See this thread for details.
Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

user input with single quotes  RSS feed

 
BV Boose
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all
Hope this is the right place to ask this question.
I have an inputText field for user input to search for last names in a .xhtml:


Works fine until a user enters something with a single quote. So o'leary, o'dell, etc generates a 403 error page:

I thought that with parametrized queries used by Seam would properly escape meta characters? Do I need to do some kind of validation in the backing bean? If so
how do I allow this use of meta chars without asking for SQL injection issues?
I'm using Seam 2.2 with JSF1.2 and Hibernate. Deployed on jboss5.1 backed by oracle9

thanks in advance.
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I really do need to sit down and find time to read my Seam book.

I'm not sure what effect that s:decorate tag is having, but there's absolutely no need to provide any sort of escaping mechanism for the JSF inputText control do deal with any of the xml magic characters, whether they're single/double quotes, angled brackets or ampersands.

Mostly likely either there's a bug in the framework or your server got the hiccups, since there's certainly no reason why JSF should be attempting to use an HtmlInputControl's value expression as a URL.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!