posted 10 years ago
Found security vulnerability when application is scanned .
While scanning the application, they are passing diff values for TRANS_CD, due to these invalid values , system thorwing exception , how can we restrict this ?
16 Apr 2013 16:58:58,105 [SocketListener0-7] ERROR com.xelus.solos.trans.TransRunner - Object Not In Db Exception
com.xelus.solos.persistent.ObjectNotInDbException: TransactionMap could not be found in the database with key of TRANS_CD = [DISPLAY_1C_SELECTION' OR]
at com.xelus.solos.persistent.TransactionMap.loadByTransCd(Unknown Source)
16 Apr 2013 16:59:09,970 [SocketListener0-7] ERROR com.xelus.solos.trans.TransRunner - Object Not In Db Exception
com.xelus.solos.persistent.ObjectNotInDbException: TransactionMap could not be found in the database with key of TRANS_CD = [DISPLAY_1C_SELECTION' AND 5=5 OR 's'='0]
at com.xelus.solos.persistent.TransactionMap.loadByTransCd(Unknown Source)
at com.xelus.solos.trans.TransRunner.execute(Unknown Source)
Code:
PreparedStatement pstmt = con.prepareStatement(
"SELECT " + Consts.FIELD_TRANS_CD + ", "
+ Consts.FIELD_TRANS_GOTO_CD + ", "
+ Consts.FIELD_TRANS_CLASS_NM + ", "
+ Consts.FIELD_TRANS_METHOD_NM + ", "
+ Consts.FIELD_UPDATE_STAMP + " "
+ "FROM " + Consts.TABLE_TRANS + " "
+ "WHERE " + Consts.FIELD_TRANS_CD + "= ? ");
pstmt.setString(1, transCd);
ResultSet rs = pstmt.executeQuery();
if (rs.next()) {
_isPersistent = true;
_transCd = rs.getString(1);
_transGotoCd = rs.getString(2);
_transClassNm = rs.getString(3);
_transMethodNm = rs.getString(4);
_updateStamp = rs.getString(5);
}
else {
clear();
rs.close();
pstmt.close();
connectionManager.freeConnection(con);
throw new ObjectNotInDbException("TransactionMap",
"TRANS_CD = [" + transCd + "]");
}
Please help me how to resolve this issue.