...
| Code Block | ||
|---|---|---|
| ||
class Login {
public void doPrivilegedAction(String username, char[] password) throws SQLException {
Connection connection = getConnection();
if (connection == null) {
// handle error
}
String pwd = hashPassword(password);
// Ensure that the length of user name is legitimate
if ((username.length() >= 8) {
// Handle error
}
String sqlString = "select * from db_user where username=? and password=?";
PreparedStatement stmt = connection.prepareStatement(sqlString);
stmt.setString(1, username);
stmt.setString(2, pwd);
ResultSet rs = stmt.executeQuery();
if (!rs.next()) {
throw new SecurityException("User name or password incorrect");
}
// Authenticated; proceed
}
}
|
...
Depending on the specific data and command interpreter or parser to which data is being sent, different methods must be used to sanitize untrusted user datainput. This compliant solution uses whitelisting to sanitize the input. In this compliant solution, the method requires that the quantity field must be a number between 0 and 9.
...