...
An effective prevention technique for preventing the related issue of SQL injection is parameterization, whereby user-specified data is passed to an API as a parameter, thus ensuring that user-specified data is never interpreted as executable logic. Unfortunately, Java SE currently lacks an analogous interface for XPath queries. SQL parameterization can be emulated by using an interface (such as XQuery) that supports specifying a query statement in a separate file that is supplied at runtime. This compliant solution uses a query specified in a text file by reading the file in the required format and then entering values for the user name and password in a Map. The XQuery library constructs the XML query from these elements.
Input File: login.qry
| Code Block |
|---|
declare variable $loginID as xs:string external; declare variable $password as xs:string external; //users/user[@loginID=$loginID and @password=$password] |
This compliant solution uses a query specified in a text file by reading the file in the required format and then entering values for the user name and password in a Map. The XQuery library constructs the XML query from these elements.
| Code Block | ||
|---|---|---|
| ||
Document doc = new Builder().build("users.xml");
XQuery xquery = new XQueryFactory().createXQuery(new File("login.xry"));
Map queryVars = new HashMap();
queryVars.put("loginid", loginID); // eg "Utah"
queryVars.put("password", pwd); // eg "C^f3"
Nodes results = xquery.execute(doc, null, queryVars).toNodes();
for (int i = 0; i < results.size(); i++) {
System.out.println(results.get(i).toXML());
}
|
...