aspose file tools*
The moose likes JSP and the fly likes Using JSTL SQL tag is secure? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Using JSTL SQL tag is secure?" Watch "Using JSTL SQL tag is secure?" New topic
Author

Using JSTL SQL tag is secure?

adeeb alexander
Ranch Hand

Joined: May 29, 2008
Posts: 268
Hi.
I would like to know, using JSTL sql tag is secure or not. Using it is very easy. So can i opt for it?? More over.

If not suggest me something else.



Thanks and Regards.
Adeeb
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
You absolutely, positively, should not use it. JSPs are for generating textual views; DB access code has no place in them. It was a poor decision on the part of the JSTL designers to include that. You should read up on the MVC pattern to learn why that is.
adeeb alexander
Ranch Hand

Joined: May 29, 2008
Posts: 268
Are there any serious security issues with it. Actually i have done with servlet also and passed ArrayList to jsp. In the code below see how the rows are accessed its easy like row.name, where name is column of DB. In the other case i.e using servlet and passing the data to jsp to view, i am unable to do that, I mean i get error while trying to use row.name, that is silly, but i am not able to understand. In case of servlet i am adding the content to list in this way.



and when I am trying to use the below code to view only in case using ArrayList data, its not working, whereas works fine with the JSTL aql tag. I would like to know how to add data to that ArrayList so that i could access it in the below way. Thanks

Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
The JSTL tag isn't any less secure than DB code written in servlets or backing beans, provided you take the same care (like protect from SQL injection, parameter fiddling, DOS attacks etc.). JSPs are just a simplified form of writing servlets, after all.
 
Don't get me started about those stupid light bulbs.
 
subject: Using JSTL SQL tag is secure?
 
Similar Threads
Simplest way to execute a DB query in a JSP
JSTL SQL TAG
JSTL SQL dataParam
Problem with c:forEach tag
Question on JSTL SQL tag