[Oscarmcmaster-cvscommit] oscar_mcmaster/web/WEB-INF/classes/src/oscar/login LoginCheckLoginBean.j
open source web-based Electronic Medical Record (EMR) system
Brought to you by:
davidhcchan,
jaygallagher
From: Marc D. <hex...@us...> - 2007-03-24 20:38:30
|
Update of /cvsroot/oscarmcmaster/oscar_mcmaster/web/WEB-INF/classes/src/oscar/login In directory sc8-pr-cvs3.sourceforge.net:/tmp/cvs-serv23688/web/WEB-INF/classes/src/oscar/login Modified Files: LoginCheckLoginBean.java Log Message: fixed some possible security risks Index: LoginCheckLoginBean.java =================================================================== RCS file: /cvsroot/oscarmcmaster/oscar_mcmaster/web/WEB-INF/classes/src/oscar/login/LoginCheckLoginBean.java,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** LoginCheckLoginBean.java 12 Nov 2006 00:21:53 -0000 1.16 --- LoginCheckLoginBean.java 24 Mar 2007 19:01:25 -0000 1.17 *************** *** 20,23 **** --- 20,24 ---- import java.util.Properties; + import org.apache.commons.lang.StringEscapeUtils; import org.apache.log4j.Logger; *************** *** 135,139 **** accessDB = new DBHelp(); ! String sql = "select * from security where user_name = '" + username + "'"; ResultSet rs = accessDB.searchDBRecord(sql); while (rs.next()) { --- 136,141 ---- accessDB = new DBHelp(); ! ! String sql = "select * from security where user_name = '" + StringEscapeUtils.escapeSql(username) + "'"; ResultSet rs = accessDB.searchDBRecord(sql); while (rs.next()) { |