I have a field that I can insert a certain name and find the user with the correspondent name,that was developed in react.
My code works when that name is like "test", but if the name is like "this test" (if the name has a space on it), my backend receives the name in this format ("this%20test") and when I am searching for that name on the database, the entry returns null.
How can I solve this? I want to solve this on my frontend because I think it´s the best option.
Any parameters passed as query params will be url-encoded and passed to your backend.
You need to url decode parameters in your backend.
See this to url decode in java
https://stackoverflow.com/a/6138183/3295987
Related
I am using RESTFUL webservices using Spring framework.Some information is displayed on the user interface using the data returned by webservices. There is a webservice, which gets the usernames and their roles from the database. For a particular user , I would like to have all the webservices display data in the form of ####,#### for first name,lastname ; ##/##/#### for date of birth etc. Since I am using JDBC to connect to the database, here's what I was thinking of doing:
Should I consider passing an additional parameter (maybe sending a value 0 or 1 ; 0 for all other users and 1 for user for which I want to hide the information) to each and every GET webservice so that when it comes to getting data from the database in the JDBC code part,I could check whether the flag is set to 1 or 0 and based on this, I could do something like this in the JDBC code :
// Code for a case when flag is set to `0`. Hence retrieving information from the database.
while(rs.next()) {
EmployeeList empList = new EmployeeList();
empList.setEmpId(empId);
empList.setEmployeeName(rs.getString("name"));
employeeList.add(empList);
}
// Code for a case when flag is set to `1`. Hence hiding information and not retrieving information from the database.
while(rs.next()) {
EmployeeList empList = new EmployeeList();
empList.setEmpId(empId);
empList.setEmployeeName("####,######");
employeeList.add(empList);
}
I am wondering, if this is an appropriate way to achieve my task or is there some other way around?
Edit:More clarifications on my requirements:
I am using jqxWidget in the UI to display the information I am getting from a RESTFUL webservice in JSON format. For example, let's consider this example and the screenshot for better understanding of my requirement:
1) Let's say I am getting all the information from the JSON response which I am populating in the jQXWidget as shown in the screenshot above.
2) In the above widget, I would like to hide say for example, First Name, Last Name and Quantity like the following:
First Name = XXXXX
Last Name = XXXXX
Quantity = ####
In my application, if a user clicks on a particular row , a new page is displayed with some additional information. After click, new sets of web services are called and those web services takes First Name, Last Name and Quantity as input parameters. My concern is that, if I somehow replace the First Name with XXXXX, Last Name with XXXXX and Quantity with #### using any approach, when a user clicks on any of the row of the widget, the next set of web services
are going to get XXXX and #### as input and eventually will fail. Please correct me if my understanding until this point is not correct.
Thanks
I am using Spring 4.2.5 version.
This depends on what sort of information hiding you want to achieve. Typically you shouldn't do this manually.
You can use, for example, role-based authorization. Exact details depends on the web-service framework you are using.
For spring MVC, you can use something similar to this:
Custom authorization in Spring MVC
I have a servlet that communicates with MySQL database and displays the information receive using a JSP (using offset and limit in MySQL). I want to implement pagination and buttons to sort the data. All of the required info for the SQL query is sent through the URL so it looks something like
http://localhost:8080/proj2/SearchMovieListServlet?txt_movie_genre=Biography&txt_order_by=title&txt_sql_order=ASC&txt_sql_limit=5&txt_pg=1
and what I want to accomplish is href a "next" and "previous" button and link it to the URL above, but with the txt_pg incremented/decremented by 1. How can I do this easily without rebuilding the URL?
I've got a database with names in it. These names sometimes contain non ascii characters e.g. González. I've got the collation settings such that if I search for WHERE LastName LIKE '%Gonzalez%' I get González's record back. In Management Studio I can search for both WHERE LastName LIKE '%Gonzalez%' and WHERE LastName LIKE '%González%' and both return the correct value. However when I use JPA / Hibernate the query that gets sent to the database clearly doesn't represent the á character correctly as I get 0 results.
When utilising the show_sql attribute I can see the actual query is fine, and If I copy and paste that query and replace the ? characters with '%González%' I get the correct results. Likewise if I search for Gonzalez through the web interface I get results, so I'm confident it's the á that is causing me problems, and it's only JPA / Hibernate that is causing the issue. (Having said that the issue could be the AJAX submission to the servlet that is causing the issue, but the parameter is sent as ?LastName=Gonz%C3%A1lez which I think is right?)
So if it's JPA / Hibernate how do I diagnose / fix the issue?
The show_sql logging configuration attribute only lets you see the formatted SQL statement, generated by Hibernate. To troubleshoot the problem further, you need to make sure the values, hibernate replaces the *'?'*s with, are actually correct. Look at the thread on how to see param values in hibernate log and adjust your application log settings.
The second step I'd suggest to add - is in your AJAX request, encode all your params as Base64 string, and then decode it back to UTF-8 string on the controller, handling the request.
The flow of logic should be as follow:
Client receives input 'González'
client encodes the input into 'R29uesOhbGV6' and passes it in AJAX request
controller, handling the request, decodes the parameter back to 'González'
controller passes the value down to hibernate logic, where hibernate generates SQL and executes it
in the application log, you see that hibernate actually passes 'González' parameter down to the database
I have written a program that reads a webservice, retrieving user data, and then is supposed to push that data to ActiveDirectory, thus updating the user's title, address, phone numbers, etc.
The problem is that when I perform the search using the Unboundid Connection class the requested attributes are not returned. Below is the search code:
SearchResult result = connection.search( properties.getProperty("ldap.search.baseDN"),
SearchScope.SUB, "(cn=" + userId + ")",
"personalTitle", "department", "company", "manager", "telephoneNumber",
"streetAddress", "I", "st", "postalCode", "c", "pager", "mobile",
"fax", "cn");
The above code locates the desired user and the cn attribute is returned as expected, but the other attributes all fail to return. If I connect to AD using JXplorer using the same connection credentials, I'm able to see all the desired attributes exist, but are simply not being returned.
I have tried substituting SearchRequest.ALL_OPERATIONAL_ATTRIBUTES, SearchRequest.ALL_USER_ATTRIBUTES and SearchRequest.REQUEST_ATTRS_DEFAULT rather than listing the fields explicitly, but with no success.
I have also looked at the 'Schema' object returned from 'connection.getSchema()' and can see that personalTitle should exist:
connection.getSchema().getAttributeType("personalTitle")
The above code returns:
1.2.840.113556.1.2.615 NAME 'personalTitle' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE
So maybe this is a user permission issue? Has anyone experienced this and know how to resolve it?
Thanks,
Mike
LDAP search result entries only include attributes that actually have values, so the behavior you are seeing from the UnboundID LDAP SDK is appropriate and correct. Even if you explicitly request a particular attribute, that attribute will only be included in the entry if it has one or more values.
I think that you're confused by JXplorer because it's reading the schema to determine what attributes could possibly be included in the entry based on its object classes and is showing them to you so that you can set values for those attributes in the editor. But that doesn't mean that the entry returned by the server actually includes any information about those attributes.
To verify this, you can use the ldap-debugger tool provided with the LDAP SDK to see the actual LDAP communication that occurs. Just run a command like:
tools/ldap-debugger --hostname {directory-server-address} \
--port {directory-server-port} --listenPort {listen-port}
This will create a very simple LDAP proxy server that decodes all requests and responses that pass through it. To use it, simply point JXplorer at the specified listen-port. You will see that when JXplorer retrieves the entry, the entry returned by the server will only contain attributes that actually have values.
If you want to figure out what all the possible attributes are that you can include in a given entry, then use the LDAPConnection.getSchema method to retrieve the server schema, then Schema.getObjectClass for each of the object classes in the target entry, and finally use the ObjectClassDefinition.getRequiredAttributes and ObjectClassDefinition.getOptionalAttributes methods to see what attribute types must and may be used in entries with that object class.
I'm trying to pass an SQL query string from a Java Applet to Servlet as a parameter.
Problem is that in Applet I have something say: sql=select * from p where(+p=1)
The resulting sql parameter in the Servlet is sql=select * from p where(+p=1).
So anyone knows how to prevent the browser from removing the + character from parameters?
Is there a escape character?
Thank you.
Do not EVER do this. This is the direct way for the SQL injection (for example any user can insert the DELETE request to the get string and crash your server)
You can use java.net.URLEncoder for this.
param = URLEncoder.encode(param, "UTF-8");
That said, the whole idea is leaky and very prone to attacks. One could easily reveal the URL and manually send a DELETE FROM p to it. Rather send commands as parameters, not complete SQL queries. Keep and hide the SQL queries in the server side.