This week's book giveaway is in the HTML/CSS/JavaScript forum.
We're giving away four copies of Practical SVG and have Chris Coyier on-line!
See this thread for details.
Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

user input with single quotes

 
BV Boose
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all
Hope this is the right place to ask this question.
I have an inputText field for user input to search for last names in a .xhtml:


Works fine until a user enters something with a single quote. So o'leary, o'dell, etc generates a 403 error page:

I thought that with parametrized queries used by Seam would properly escape meta characters? Do I need to do some kind of validation in the backing bean? If so
how do I allow this use of meta chars without asking for SQL injection issues?
I'm using Seam 2.2 with JSF1.2 and Hibernate. Deployed on jboss5.1 backed by oracle9

thanks in advance.
 
Tim Holloway
Bartender
Posts: 18419
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I really do need to sit down and find time to read my Seam book.

I'm not sure what effect that s:decorate tag is having, but there's absolutely no need to provide any sort of escaping mechanism for the JSF inputText control do deal with any of the xml magic characters, whether they're single/double quotes, angled brackets or ampersands.

Mostly likely either there's a bug in the framework or your server got the hiccups, since there's certainly no reason why JSF should be attempting to use an HtmlInputControl's value expression as a URL.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!