EJB - magic quotes and encoding problem
in [Java Programming]
|
Prev: Jar Class Loader (JCL) and invoking method with my class from jar file
Next: Now comes Zephyr v3.0
From: pmz on 5 Aug 2010 14:10 Dear Friends, As most of recent viewers know I'm playing around the EJB and I have found two big problems. First problem is quoting output of beans inside JSP, an example: I load data in servlet: getServletContext().setAttribute("cupUser", cupUserFacade.find(userId)); <input type="text" name="userFullName" value="$ {cupUser.userFullName}" /> returns into: <input type="text" name="userFullName" value="My Stupid "Very" Stupid Value" /> That's a problem, where I'm not sure whether changing " into ' in <input/> is a good solution. How do I fix it? Second problem is encoding. Each page is attached with UTF-8 encoding tags, database encoding is utf8_default, JSP pages/servlets printout data perfectly, but when I update data in database (via EJB): Log says: FINE: UPDATE cup_user SET User_Contact = ?, User_FullName = ? WHERE (ID = ?) bind => [????????Ä???Ä?????Ä?????????Ä?, Bartek , 5] FINER: TX afterCompletion callback, status=COMMITTED (I don't think that the perfect way to store data ;) And output obviously is damaged with shitchars. Where shall I look for encoding configuration? web.xml? persistance.xml? Resource configuration? 100% sure that database (client & server) are configured ok (with UTF-8). Thank you for helping me. All the best, Przemek M. Zawada
From: Lew on 5 Aug 2010 15:32 pmz wrote: > As most of recent viewers know I'm playing around the EJB and I have > found two big problems. > First problem is quoting output of beans inside JSP, an example: > > I load data in servlet: > > getServletContext().setAttribute("cupUser", > cupUserFacade.find(userId)); > > <input type="text" name="userFullName" value="$ > {cupUser.userFullName}" /> > Those lines are from two separate artifacts, a Java source file (POJO) and a JSP, right? > returns into: > > <input type="text" name="userFullName" value="My Stupid "Very" Stupid > Value" /> > > That's a problem, where I'm not sure whether changing " into ' in > <input/> is a good solution. > How do I fix it? > What's wrong with using single quotes in the attribute? Otherwise I think you just have to escape the quotes. I'm sure there's also some other solution I haven't learned yet. > Second problem is encoding. Each page is attached with UTF-8 encoding > tags, database encoding is utf8_default, JSP pages/servlets printout > data perfectly, but when I update data in database (via EJB): > > Log says: > FINE: UPDATE cup_user SET User_Contact = ?, User_FullName = ? WHERE > (ID = ?) > bind => [????????Ä???Ä?????Ä?????????Ä?, Bartek , 5] > FINER: TX afterCompletion callback, status=COMMITTED > > (I don't think that the perfect way to store data ;) > > And output obviously is damaged with shitchars. > "obviously"? > Where shall I look for encoding configuration? web.xml? > persistance.xml [sic]? Resource configuration? > > 100% sure that database (client & server) are configured ok (with > UTF-8). > Are you sure that display of the log isn't just an artifact of how you're displaying it? If you look at the log with, say, a hex dump, do the hex characters match what the encoded values should look like? -- Lew
From: pmz on 6 Aug 2010 09:50 On 5 Sie, 21:32, Lew <l...(a)lewscanon.com> wrote: > > Those lines are from two separate artifacts, a Java source file (POJO) > and a JSP, right? Yes of course! > > What's wrong with using single quotes in the attribute? Mainly, nothing, in case user won't enter any of them in the text field, right? I may strip them out with JS, but it's not the best idea (doing it user-side). > > Otherwise I think you just have to escape the quotes. I'm sure > there's also some other solution I haven't learned yet. Yeah, I thought that maybe there's something like magic_quotes = On (in PHP configuration file), which enables you doing it automatically. > > "obviously"? Yeah, of course, because the data in the database is same as string dumped in logfile, which tells me that the update engine does not use required encoding. Dunno why. Przemek M. Zawada
From: Jean-Baptiste Nizet on 6 Aug 2010 15:22 On Aug 6, 3:50 pm, pmz <przemek.zaw...(a)gmail.com> wrote: > On 5 Sie, 21:32, Lew <l...(a)lewscanon.com> wrote: > > > > > Those lines are from two separate artifacts, a Java source file (POJO) > > and a JSP, right? > > Yes of course! > > > What's wrong with using single quotes in the attribute? > > Mainly, nothing, in case user won't enter any of them in the text > field, right? I may strip them out with JS, but it's not the best idea > (doing it user-side). > > Don't ever do that. Validate user input at server-side. If it's OK for an input to contain quotes (and why wouldn't it?), then store the input as is in the database. Remember that data very often lives much longer than the applications using.displaying it, and that you might display data in other formats than HTML. When you display data, if you're not 100% sure that the data doesn't contain HTML special chars (quotes, brackets, ampersands), then escape the data. In JSPs, there are two ways of escaping a string : <c:out value="${yourData}"/> or ${fn:escapeXml(yourData)} See http://download-llnw.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/out.html and http://download-llnw.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html Forgetting to escape data is one of the best ways to have your application compromised by a XSS attack. Take this really seriously. > > > Otherwise I think you just have to escape the quotes. I'm sure > > there's also some other solution I haven't learned yet. > > Yeah, I thought that maybe there's something like magic_quotes = On > (in PHP configuration file), which enables you doing it automatically. > > magic quotes is a really really bad idea oh PHP, and isn't used to escape quotes for display, but for SQL usage. See http://en.wikipedia.org/wiki/Magic_quotes. It's deprecated in PHP5, and removed from PHP6, BTW. > > > "obviously"? > > Yeah, of course, because the data in the database is same as string > dumped in logfile, which tells me that the update engine does not use > required encoding. Dunno why. > This probably depends on your HTTP server. Read http://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q8 for Tomcat. > Przemek M. Zawada
From: pmz on 12 Aug 2010 10:57 On 6 Sie, 21:22, Jean-Baptiste Nizet <jni...(a)gmail.com> wrote: > > This probably depends on your HTTP server. Readhttp://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q8for Tomcat. > Yes! I've checked it like the example shows and I've added the request.setCharacterEncoding("UTF-8"); in doGet() and doPost() methods of servlet! Solved! All the best, Przemek M. Zawada
|
Pages: 1 Prev: Jar Class Loader (JCL) and invoking method with my class from jar file Next: Now comes Zephyr v3.0 |