The Java Platform
This section describes ways to acquire user-supplied input, ways to interact with the user's session, potentially dangerous APIs, and security-relevant configuration options on the Java platform.
Identifying User-Supplied Data
Java applications acquire user-submitted input via the javax.servlet.http.HttpServletRequest
interface, which extends the javax.servlet.ServletRequest
interface. These two interfaces contain numerous APIs that web applications can use to access user-supplied data. The APIs listed in Table 19.1 can be used to obtain data from the user request.
Table 19.1 APIs Used to Acquire User-Supplied Data on the Java Platform
API | Description |
getParameter
getParameterNames
getParameterValues
getParameterMap |
Parameters within the URL query string and the body of a POST request are stored as a map of String names to String values, which can be accessed using these APIs. |
getQueryString |
Returns the entire query string contained... |