best way to avoid sql injection

Posted by aauser on Stack Overflow See other posts from Stack Overflow or by aauser
Published on 2010-06-05T19:30:47Z Indexed on 2010/06/05 19:32 UTC
Read the original article Hit count: 164

Filed under:
|
|

I got similar domain model

  • 1) User. Every user got many cities. @OneToMany(targetEntity=adv.domain.City.class...)
  • 2) City. Every city got many districts @OneToMany(targetEntity=adv.domain.Distinct.class)
  • 3) Distintc

My goal is to delete distinct when user press delete button in browser. After that controller get id of distinct and pass it to bussiness layer. Where method DistinctService.deleteDistinct(Long distinctId) should delegate deliting to DAO layer.

So my question is where to put security restrictions and what is the best way to accomplish it. I want to be sure that i delete distinct of the real user, that is the real owner of city, and city is the real owner of distinct. So nobody exept the owner can't delete ditinct using simple url like localhost/deleteDistinct/5.

I can get user from httpSession in my controller and pass it to bussiness layer.

After that i can get all cities of this user and itrate over them to be sure, that of the citie.id == distinct.city_id and then delete distinct.

But it's rather ridiculous in my opinion.

Also i can write sql query like this ...

delete from t_distinct where t_distinct.city_id in (select t_city.id from t_city left join t_user on t_user.id = t_city.owner_id where t_user.id = ?) and t_distinct.id = ?

So what is the best practice to add restrictions like this.

I'm using Hibernate, Spring, Spring MVC by the way..

Thank you

© Stack Overflow or respective owner

Related posts about java

Related posts about hibernate