Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>The wholde idea about this interface is to maintain a list of valid parameter names and there by rejecting any request parameters that are not in this list(whitelist).This is really helpfull in situations where a hacker tries to include unwanted form field values as a hidden variable that are likely to execute in certain situations.For example, include so many form fiels varialbles (>10000 etc) that may create Denial Of serice on server side.</p> <p>Once you have implemented this, you can immediatly reject any unwanted parameters in the current request scope or you can take a better control of this situation.</p> <p>Probable implementation :</p> <p>Implement the <code>ParameterNameAware</code> interface and override its <code>acceptableParameterName</code> method as follows:</p> <pre><code> public boolean acceptableParameterName(String parameterName) { boolean allowedParameterName = true ; if ( parameterName.contains("session") || parameterName.contains("request") ) { allowedParameterName = false ; } return allowedParameterName; } </code></pre> <p>You need to implement this interface in your form bean that is having getter and setter methods in it. In this particular example, if the current request contains any form field variable like request or session, then it is a failure scenario.This is just a typical example here. There is a complete documentation in this link <a href="http://struts.apache.org/2.0.6/struts2-core/apidocs/com/opensymphony/xwork2/interceptor/ParametersInterceptor.html" rel="nofollow">Class ParametersInterceptor</a></p>
    singulars
    1. This table or related slice is empty.
    1. POAvoiding Parameter Tampering using ParameterNameAware interface (Struts2)
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USUVM
    1. USUVM
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POAvoiding Parameter Tampering using ParameterNameAware interface (Struts2)
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COThanx for the response. am little confused on this, mean to say the process. How often acceptableParameterName() is called, and finding the acceptable parameters(whitelist) in my action class (is it all variables with setter&getters used in action?). As you said, when an attacker changes query string with too many parameters then how can it be accepted by our action class without input data variables defined, it has to show error 404. I am really sry, if am confusing you. newbie struts2 :-)
      singulars
      1. PO
      1. USRony
    2. CO@Rocky_Rony, Your whitelist is nothing but predefined set of form field variables that are expected in the request.You need to implement this interface in your bean class.I have updated my answer.
      singulars
      1. PO
      1. USUVM
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload