Today we learnt ways to implement a much more safer jsp page using prepared Statement and Singleton Methdod.
However before we dive into that, we covered some simple jsp knowledge and methods to apply into our page.
Get & Post
there are lots of HTTP methods: the most commonly used are get and post
get
- used when openly sharing information: news websites, search bar
- It exposes the information in the header: where the url is displayed
- limits the data that is sent over
- remains in browser history and cached
post
- used for private information: log in details
- does not expose information in header
- never cached and not saved in browser history
unless specified the default method for HTTP is get
Pro tips for JSP
- It is crucial to name the main jsp with the name index: When launching a Dynamic Web project with Java and Apache Tomcat, it will always look for an index.html, index.htm or index.jsp file first as a starting point to launch the web page => found under web.xml
- when using a new Date() element we use the import keyword to call the information.
<%@page import="java.util.Date"%>
3. We can create mini components for repeated elements such as the nav menu and insert them into each page
<jsp:include page="menu.jsp"></jsp:include>
Preventing security leaks by replacing Statements with Prepared Statements
STMT can cause a security leak as it can be easily manipulated to provide guided information.
example: below is a login page created using statement to fetch information from a database.
if someone knows the id of a user, they can type a false password followed by ‘ OR 1=1–’
this is because we can use an or statement to state that if 1=1 block the password out (using - -)
Therefore we can edit our code to use Prepared Statement instead which is less vulnerable.
public class BoardDAO {
public String login(String id, String pw) {
String name = null;
DBConnection dbconn = DBConnection.getInstance();
Connection conn = dbconn.getConn();
PreparedStatement pstmt = null; < we enter pstmt where statement is normally entered.
ResultSet rs = null;
String sql = "SELECT m_name FROM member WHERE m_id=? AND m_pw=?";
try {
pstmt = conn.prepareStatement(sql); < d we load the sql straight away, the other info is handled by DBConnection.
pstmt.setString(1, id);
pstmt.setString(2, pw); < then assign id, pw value to each ?
rs = pstmt.executeQuery(); < then we execute the query and store the result in rs
if (rs.next()) {
name = rs.getString(1); //we only get one clumn of the DB as we're only looking for the column that stores the names.
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (pstmt != null) {
try {
pstmt.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
return name;
}
public List<BoardDTO> select() {
List<BoardDTO> list = new ArrayList<BoardDTO>();
Connection conn = DBConnection.getInstance().getConn();
PreparedStatement pstmt = null; < here we do the same thing where we create pstmt to fetch the DB data
ResultSet rs = null;
String sql = " SELECT b_no,b_title,b_writer,b_date,b_like, b_count FROM board";
try {
pstmt = conn.prepareStatement(sql); <again load the sql statement into pstmt
rs = pstmt.executeQuery(); < then execute query and store info in rs to be assigned to each value in DTO
while (rs.next()) { < this time since we don't know how many columns we're loading we use the while loop
BoardDTO e = new BoardDTO();
e.setB_no(rs.getInt("b_no"));
e.setB_title(rs.getString("b_title"));
e.setB_writer(rs.getString("b_writer"));
e.setB_date(rs.getString("b_date"));
e.setB_like(rs.getInt("b_like"));
e.setB_count(rs.getInt("b_count"));
list.add(e);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (pstmt != null) {
try {
pstmt.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
return list;
}
}
Using Singleton to create a secure pathway to DB
To ensure that the connection instance is hidden and prevented from duplication, we can add a layer of security when it comes to accessing the database.
We do this by setting the access modifier for the constructor as private and create a method that will create a single instance that can be used to run the task that is needed.
public class DBConnection {
private static DBConnection dbConnection; < object that is set to private
public static DBConnection getInstance() { < this method must be called in order to call the dbConnection object above
if(dbConnection == null) {
dbConnection = new DBConnection();
}
return dbConnection; < first time it will create a new DBConnection but once it's formed it will retrieve the existing one, preventing the creation of a new one
}
private DBConnection( ) {} < privatised so the constructor cannot be called from outside
public Connection getConn() { < method that makes the connection
Connection conn = null;
try {
Class.forName("org.mariadb.jdbc.Driver");
String url = "jdbc:mariadb://redaced";
String user = "redacted";
String passwd = "redacted";
conn = DriverManager.getConnection(url, user, passwd);
} catch (Exception e) {
e.printStackTrace();
}
return conn;
}
}
public class BoardDAO {
public String login(String id, String pw) {
String name = null;
**calling singleton**
DBConnection dbconn = DBConnection.getInstance();
Connection conn = dbconn.getConn();
Statement stmt = null;
ResultSet rs = null;
String sql = "SELECT m_name FROM member WHERE m_id='"+id+"' AND m_pw='"+pw+"'";
try {
stmt = conn.createStatement();
rs= stmt.executeQuery(sql);
if(rs.next()){
name = rs.getString(1);
}
} catch (Exception e) {
e.printStackTrace();
}finally {
if(rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}}
if(stmt != null) {
try {
stmt.close();
} catch (SQLException e) {
e.printStackTrace();
}}
if(conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
} }}
return name;
}
public List<BoardDTO> select() {
**Calling singleton**
List<BoardDTO> list = new ArrayList<BoardDTO>();
Connection conn = DBConnection.getInstance().getConn();
Statement stmt = null;
ResultSet rs = null;
String sql = " SELECT b_no,b_title,b_writer,b_date,b_like, b_count FROM board";
try {
stmt = conn.createStatement();
rs = stmt.executeQuery(sql);
while (rs.next()) {
BoardDTO e = new BoardDTO();
e.setB_no(rs.getInt("b_no"));
e.setB_title(rs.getString("b_title"));
e.setB_writer(rs.getString("b_writer"));
e.setB_date(rs.getString("b_date"));
e.setB_like(rs.getInt("b_like"));
e.setB_count(rs.getInt("b_count"));
list.add(e);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if(rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if(stmt != null) {
try {
stmt.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if(conn != null ) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
return list;
}
}
'JSP' 카테고리의 다른 글
| JSP: webpage using Servlet (0) | 2024.07.17 |
|---|