|
Oracle
JDeveloper 10g for Forms &
PL/SQL
Developers
|
|
| Chapter | 15 | |
| Section | Preventing SQL Injection Attacks | Securing Find Mode | |
| Code | detectInjection( ) | |
| Return to listings... | ||
protected String detectInjection(String criteria,
String columnNames,
boolean restrictive)
{
boolean reject = false;
String testPattern;
if (restrictive)
{
testPattern = "^(>=|<=|<|>|<>|!=|=|BETWEEN|IN|LIKE|IS)";
}
else
{
StringBuffer constructLooseTestPattern =
new StringBuffer("(^(=|!=|LIKE))|(");
constructLooseTestPattern.append(columnNames);
constructLooseTestPattern.append(")");
testPattern = constructLooseTestPattern.toString();
}
String testCriteria = criteria.trim().toUpperCase();
if (testCriteria != null && testCriteria.length() > 0)
{
Pattern sqliPattern = Pattern.compile(testPattern);
Matcher matcher = sqliPattern.matcher(testCriteria);
if (matcher.find())
{
reject = true;
}
}
return reject?null:criteria;
}