Category: Java

Prevent SQL Injections

Prevent SQL Injections

sql injections
sql injections

    Preventing SQL injections is pretty easy once you know what you are doing. Some of you who are new to databases might think about character substitutions, character escaping, or just outright banning of certain characters; but, those options are laborious and not nearly as simple or elegant. Instead, we can use a technique called SQL Parameterization. It’s a fancy word for a straightforward process. For this guide, I’ll be referencing a database titled Movies.

    To explain it simply, what we are going to do is use a “?” in place of inserting our value. We then have our value tied to the “?” which will then be interpreted as a string literal. Since it is being handled as a string literal and is being kept from interpretation, this keeps us from having our databases deleted, stolen, or used in unforeseen ways.

The setup looks like this:

// Instead of this.
$updateComm = "SELECT title FROM Movies WHERE id = '" . $ID . "'";

// We have this.
$updateComm = "SELECT title FROM Movies WHERE id = ?";

Again, the question mark is like a reference marker/bind point. Our data gets tied to it and is never interpreted. We next do a prepare statement that’ll allow us to bind values. The first way we can do this is by binding the values to the field individually.

Let’s take a look:

// We first setup a command with the properly inserted question marks.
$updateComm = "UPDATE Movies SET title = ?, link = ?, date = ? WHERE id = ?";
 
// We then set it up for preparation.
$updateStatement = $db->prepare( $updateComm );

// We then insert to the bind points.
// Note: They are in order of appearance in the command. 
//       This is why we bind to title first and then links, etc.
//       Keep this in mind when setting up commands.
//       Also, we don't start at zero but one.
$updateStatement->bindValue( 1, "I, Robot", PDO::PARAM_STR );
$updateStatement->bindValue( 2, "LINK", PDO::PARAM_STR );
$updateStatement->bindValue( 3, "July 7, 2004", PDO::PARAM_STR );
$updateStatement->bindValue( 4, 666999, PDO::PARAM_INT );
 
// We then execute the command which is properly set up.
$updateStatement->execute();

The second option is to just pass the arguments as an array without individual binding. Note once more that it is all based on order of the question marks.

$updateComm = "UPDATE Movies SET title = ?, link = ?, date = ? WHERE id = ?";
 
// We then set it up for preparation.
$updateStatement = $db->prepare( $updateComm );

// Then, just pass parameters as an array to the execute method.
$updateStatement->execute( array( "I, Robot", "LINK", "July 7, 2004", 666999) );

In both cases, everything is properly sanitized for you and you don’t have to worry about rogue single quotes or DROP TABLE commands getting through. You’re done! Easy right? At this point, all you have to do is look up your language and how to do the above steps and implement them for secure database interactions. Look at Rosetta Code for how other languges setup parameterization. In addition, if you’ve read any of my other articles, pick a project like my PHP7, SQLite3, and Ajax Tutorial to practice this on in addition to learning other skills and techniques.

Java – JSP File Uploader Tutorial

Java – JSP File Uploader Tutorial

JSP Image
jsp image

    Java is one of my favorite programming languages due to its straightforward nature and plethora of built-in options. It has a robust tie with web related technologies such as HTML, CSS, and JavaScript and is made easy to leverage through its server Tomcat. In addition to all that, the community is strong and provides additional functionality through Java ARchives (JARs).

    Now, if you have a web application and want dynamic pages and to leverage Java, you can use Java Server Pages (JSP) to create dynamic interfaces and data streams/access. This tutorial will be on how to upload a file through an HTML Form and JSP processing it to save to the server. To do this, you’ll need to use Tomcat with or without Apache/Nginx and Java 8 or up. For this example, I’ll be using Tomcat in standalone than coupling it with one of the other options. I’m programing on an Ubuntu based distribution so be aware of how your system interacts with Java and vise versa.


To Top


To Bottom

Setup

Tomcat Download

    Let’s start off by getting Tomcat and setting it up. Go to Tomcat 9 Download page and look under Binary Distributions. There, click on either the 32bit or 64 bit “core” zip for Windows if on Windows or simply select the first “core” zip in the list if on Linux.
From there, unzip it to a location you want to work from. Mine is in my home directory under a folder called
“Portable_Apps”. I unzip it and called it “Tomcat-9”.

Tomcat Setup

    Once unzipped and located where you want it, you will want to change its setting in order to use it fully. So, head into the directory and you will see many folders. Of them, there are four key folders to really pay attention to for this task. They are “bin”, “conf”, “lib”, and “webapps”. First, head to “conf” and edit the tomcat-users.xml file. In general, you’ll want to add a user that can access the “manager-gui” application that allows you to control what web applications are present. To do this, head to the bottom of the file where the commented out accounts are. Copy or type out an account that isn’t commented out.

Mine looks looks so:

<user username="admin" password="1234" roles="tomcat,manager-gui"/> 

Please note that the password needs to be something that is actually strong and in addition to that you should try to name the user as something that can’t be guessed by others. Anyway, go ahead and save the file. From there, take a look at the server.xml file.

Find:

<Connector port="8080" protocol="HTTP/1.1"
                    connectionTimeout="20000"
                    redirectPort="8443"
                    address="0.0.0.0" />

You can change the port or add multiple Connector sections to have multiple ports accessible for multiple applications. Please note that I have added the “address” part and it is by default not present. The addition let’s my network connect to the application after I’ve allowed the port to be accessed through the firewall rules. In Linux, for me, this was as simple as making sure UFW was installed and up and then in a terminal doing “sudo ufw allow <portNumber>/tcp”.

    OK, before we start Tomcat, we will want to get some additional libraries so that we can handle a file being sent to the JSP file. Go to these links and find the newest versions.

Links: FileUpload and Commons IO

Once downloaded, simply unzip them and ignore all but the JAR that has the name and version number. Move these JARs to the “lib” folder that I mentioned earlier. If you started Tomcat before this step, stop it and then start it so the libraries will load. If not, we are then ready to start Tomcat. To do this, open a command line or terminal and change directories to the “bin” folder.

From there, do:

// Linux
./catalina.sh start

// Windows
.\catalina.bat start

You might need to make the shell file executable and you can do this by running “chmod +x catalina.sh” from the folder in the terminal. If everything went well, you should see “Tomcat started.” as part of the output. You can now go to your webbrowser and type localhost:8080. If you see “If you’re seeing this, you’ve successfully installed Tomcat. Congratulations!” then we are set. To stop the server, simply replace “start” with “stop”. It’s time we managed our applications a bit.

Tomcat Manage Applications

    On the page, to your right, you’ll see a button called “Manager App”. Click it and login using the user information you created earlier. Here, we’ll see all the applications that are present. This coincides with the “webapps” folder I mentioned. In manager, the paths math the folder names in the “webapps” folder. Only “ROOT” doesn’t follow the naming scheme since it is just a forward slash. “ROOT” also is the container for what you saw when you loaded the page. We’ll want to move its contents to another location. In the “webapps” folder add a new folder called “toor”. Then, in the manager page, find the “Deploy” section and type toor into the “Context Path” section. Click “Deploy” and the section will be added. The rest is up to you but I’d Undeploy the “docs” and “examples” section to clear up space. Note, the folders will be deleted if you do this.

    OK, move the “ROOT” contents to the “toor” folder and then create two folders in the “ROOT” folder. They are “data” and “WEB-INF”. In the “WEB-INF” folder add a file called “web.xml”.

In it, add:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>File Uploader & Downloader</display-name>
  <description>
     File Uploader & Downloader
  </description>
</web-app>

OK, it’s time we write some code.

Code Breakdown

HTML

    There are really only two parts to this section, a form and an iframe. The rest is just fluff that HTML pages need for proper setup. Simply create the structure in an “index.html” file and insert the below into the “body” tag.

This is the important code:

<h2>File Uploader</h2>
    <form action="Uploader.jsp" method="post" enctype="multipart/form-data" target="FormSubmitter">
        <input type="reset" value="Clear">
        <input type="submit" name="submit"  value="Upload" />
        <input type="file" name="file" multiple />
    </form>
<iframe name="FormSubmitter" frameborder="0" style="width:100%;height:35em"></iframe>

Let’s break this down and understand the parts. We have a form and its action is the JSP file, “Uploader.jsp”. The JSP file will process the submitted info to it and save it. The method used is “post” because what is being submitted is a file or files. The encode type is “multipart/form-data” because we will have to submit files and this setting is what is used to do so. From there, to avoid redirecting the page on submission, we send the process to the iframe.

    In the form part, we have three input tags. The first simply clears the form data. The second submits the form or in this case the files. The third is the file selector. Reference the Full HTML section if you need to know the structure of the rest of the file. OK, we can now look at our JSP file, the good meaty Java code that glues this whole thing together.

JSP

    Go ahead and create a JSP file called “Uploader.jsp”. In the beginning, there was imports. In this beginning, we need a few of them.
Let’s look at them:

<%@ page import="org.apache.commons.fileupload.servlet.ServletFileUpload"%>
<%@ page import="org.apache.commons.fileupload.disk.DiskFileItemFactory"%>
<%@ page import="org.apache.commons.fileupload.*"%>
<%@ page import="java.util.Iterator" %>
<%@ page import="java.util.List" %>
<%@ page import="java.io.File" %>

If we look at the imports, we already can get an idea of the structure of the program or take guesses as to how it might be written. We will iterate through a list of the uploaded file(s) and probably use the File object to write the selected file to a location. The other imports handle the actual receiving of the data. Now that we have the needed imports, let’s get some initial stuff set up.

Here is the start of the code:

<%
    boolean isMultipart = ServletFileUpload.isMultipartContent(request);
    String dirPath = getServletContext().getRealPath("/").replace('\\', '/') +
                                                                      "data/";
    String itemName;
    File file;


    out.println(
        "<!DOCTYPE html>"
        + "<html><head>"
        + "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\" />"
        + "<title>Results</title>"
        + "</head> <body>"
    );

    Let’s break this down and understand the parts. The first is a boolean that we will check against to see if the data being sent is of multipart/form-data. The next part is the proper path to the “data” folder we created a while back. For Windows, I’m pretty sure you don’t need the “replace” part. We then setup a String called “itemName” that’ll be used to get the file name from the iterated data to then join with the “dirPath” so we can save it in the proper location. We also setup a File object we’ll use later. After all that, we print out the initial HTML syntax for return of the listed out “data” folder in HTML. We are well on our way to being able to upload files to our server. Let’s cover the middle meat of our JSP.

Here is the code:

    // Save file if present
    if (isMultipart) {
        FileItemFactory factory = new DiskFileItemFactory();
        ServletFileUpload upload = new ServletFileUpload(factory);
        List list = null;

        try { list = upload.parseRequest(request);
        } catch (FileUploadException e) { out.println(e); }

        Iterator itr = list.iterator();
        while (itr.hasNext()) {
            FileItem item = (FileItem) itr.next();
            if (!item.isFormField()) {
                try {
                    itemName = item.getName();
                    file = new File(dirPath + itemName);
                    item.write(file);
                } catch (Exception e) { }
            }
        }
    } else {
        out.println("<h2>Not multi-part transmitted...</h2>");
    }

As was stated, we first check to see if the data being sent is of multipart/form-data. If not we just return a message saying it’s incorrectly submitted. If it’s correct, we do some initial setting up processes by creating a FileItemFactory object. This is an interface for creating FileItem instances which are themselves a representation of the file or formfield data which will be stored in memory or on disk as temporary files. Files are stored in memory if small and on disk if too large when checked against the default size or the one you specify (We aren’t specifying size for this guide.). We then use a high level API for processing file uploads by way of the ServletFileUpload object.

    To determine files, we use the “parseRequest” method to get a list of files that are then sent to the previously created List object that is null. We do as previously mentioned and set up an Iterator object and traverse it with a while loop. In the while loop we create our FileItem which represents our listed file. We check to see if the FileItem instance represents a simple form field or an actual file. If it’s a file, we then get its name and then merge that name with the previously determined directory path. (Some of these settings can be setup in the “web.xml” we created but in this case we hard coded it.) This all is set in a new File object. We then use the FileItem object to write its data to the new File object we created and thus “upload” the file. Let’s finish the JSP code by returning a list of the files in the directory.

Here is the code:

    // List directory
    File curentDir = new File(dirPath);
    String[] list = curentDir.list();
    out.println("<ol>");
    for (int i=0; i<list.length; i++) {
            out.print("<li><a href='data/" + list[i] + "'/>" + list[i] + "</a></li>");
    }
    out.println("</ol>");
    out.println("</body></html>");
%>

    This last part is a bit of an added bonus. We will list the directory containing our files. Let’s break it down. We first create a new File Object and reference the “data” directory path. We list it out in a newly created String array object which we will use below. But next, we print out the “ordered list” tag. We then loop through the String array and printout HTML that has the “list item” tag and an anchor” tag nested in it that references the path and name of the file. We then close out all tags and party like it’s 1941.

Conclusion

Discussion

    At this point, you should add some CSS to get things styled the way you want it to. There isn’t too much I’m aware of that needs covering given the simplicity of the task. Upload file, process file, return data, and that’s it. You might want to look at other tasks like filling a database up with user input or make a directory traverser to view videos, images, or text files. It’s all up to you. If you know Java, then JSP is pretty much that but with web technologies.

For Next Time

    For next time, one should look at limiting upload sizes. In this example and for my personal usage, I don’t want a limitation since I’m working with my own files. In production though, it is IMPERATIVE that files be limited in size and there needs to be checks so as the server’s disk space isn’t by accident consumed entirely by a person uploading a file. Other than that, I have no other thoughts on the matter.

Full Code

HTML

<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <title>File Uploader</title>
</head>
<body>


<h2>File Uploader</h2>
    <form action="Uploader.jsp" method="post" enctype="multipart/form-data" target="FormSubmitter">
        <input type="reset" value="Clear">
        <input type="submit" name="submit"  value="Upload" />
        <input type="file" name="file" multiple />
    </form>

<iframe name="FormSubmitter" frameborder="0" style="width:100%;height:35em"></iframe>
</body>
</html>

JSP

<%@ page import="org.apache.commons.fileupload.servlet.ServletFileUpload"%>
<%@ page import="org.apache.commons.fileupload.disk.DiskFileItemFactory"%>
<%@ page import="org.apache.commons.fileupload.*"%>
<%@ page import="java.util.Iterator" %>
<%@ page import="java.util.List" %>
<%@ page import="java.io.File" %>

<%
    boolean isMultipart = ServletFileUpload.isMultipartContent(request);
    String dirPath = getServletContext().getRealPath("/").replace('\\', '/') +
                                                                      "data/";
    String itemName;
    File file;


    out.println(
        "<!DOCTYPE html>"
        + "<html><head>"
        + "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\" />"
        + "<title>Results</title>"
        + "</head> <body>"
    );

    // Save file if present
    if (isMultipart) {
        FileItemFactory factory = new DiskFileItemFactory();
        ServletFileUpload upload = new ServletFileUpload(factory);
        List list = null;

        try { list = upload.parseRequest(request);
        } catch (FileUploadException e) { out.println(e); }

        Iterator itr = list.iterator();
        while (itr.hasNext()) {
            FileItem item = (FileItem) itr.next();
            if (!item.isFormField()) {
                try {
                    itemName = item.getName();
                    file = new File(dirPath + itemName);
                    item.write(file);
                } catch (Exception e) { }
            }
        }
    } else {
        out.println("<h2>Not multi-part transmitted...</h2>");
    }

    // List directory
    File curentDir = new File(dirPath);
    String[] list = curentDir.list();
    for (int i=0; i<list.length; i++) {
        String name = list[i].toLowerCase();
        if (name.contains(".png") || name.contains(".jpg")||
            name.contains(".gif") || name.contains(".jpeg")) {
                out.print("<div>" +
                          "<img src='data/" + list[i] + "'/></div>");
        } else {
            out.print("<a href='data/" + list[i] + "'/><div>" + list[i] + "</div></a>");
        }
    }

    out.println("</body></html>");
%>

Images

before file select
before file select
file select
file select
file uploaded
file uploaded

file playing
file playing

If you liked this article, please check out the others I have written. One I recommend is my reference cheat sheet for HTML, CSS, and JavaScript. You can use it while styling your JSP file uploader application.


Web Technologies
Web Technologies

Schools Should Teach Kids Scripting

Schools Should Teach Kids Scripting

    Schools should teach kids scripting. When I say kids I am thinking of those old enough to be in grades 5-8. Forget actual programming (though one may argue scripting is programming) and get them into Bash. I say Bash because it’s already installed on most major platforms with Microsoft finally coming around in Windows 10. One may ask why and the answer is simple. It is simple. There is no need to install compilers and there is no need to worry about includes or imports or whatever else others have cleverly implemented to create despair in a programmer. Not only that, it gets the core ideas of programming down. Sure, it isn’t Object Oriented Programming (OOP) but that is a minor issue when we are talking about kids. The gist of programming is understanding iterations, functions, variables, assignment, general maths, and other bits and bobs. Once these are down, it is relatively easy to learn most languages. As an example of how easy it is to get started, I will show an example that prints to the terminal screen “Hello World!” and the current user that is logged in with a separate function for each: main and showUser.

Bash Example

#!/bin/bash

function main() {
    echo "Hello World!"; // Prints to the terminal Hello World.
    showUser;            // Calls showUser function
}

function showUser() {
    me=`whoami`;  // Runs a command and assigns the output to me
    echo $me;     // calls the variable me and prints to the terminal.
}
main; // Calls main function

When in a Linux environment this can be made more advanced with simple GUIs through zenity, yad, or dialog.
I wont show an example for those but one should get the drift.

    From the established core, one will then focus their attention on concepts like encapsulation, obfuscation, polymorphism, etc. Getting core concepts involving imperative statements and logical procedure is the hardest part. Having had my programming career start off this way makes me biased but it seems to me to be a more logical flow. Schools covering grades 9-12 should cover concepts of OOP by using Java which is a proper programming language. I advocate for Java because of its FX library and the tools that allow one to create full fledged programs. As case and point, let’s look at how easy it is to create a window with a button. To see how easy it is I will use an analogy of a play being setup.

Java Example

import javafx.application.Application;  // The building where the play is
import javafx.stage.Stage;              // The stage in the building
import javafx.scene.Scene;              // The scene of the play. Ie, are we in a city, park, house
import javafx.scene.layout.AnchorPane;  // The confinement of the objects in the scene. Like a house or ally with walls.
import javafx.scene.control.Button;     // The actual objects of the play. Plants, pots, food, etc.

public class Main extends Application {
    @Override
    public void start(Stage stage) {
        // define what is going to be in the scene
        AnchorPane pane = new AnchorPane();    // Create the confinement of where objects go.
        Button closeBttn = new Button("Close Stage Curtain");  // Create an object for our world. A button called Close Stage Curtain.

        pane.getChildren().add(closeBttn);            // Add to the confinement
        Scene scene = new Scene(pane, 800, 600);      // Determin what the scene is comprised of. Ie, dogs and cats with plants?

        stage.setTitle("The Phantome of the Opera");  // Tell the world what play we are seeing
        stage.setResizable(false);    // Limit the stage size to what size the scene says and no more or less
        stage.setScene(scene);        // Set our scene onto the stage
        stage.show();                 // Open the curtains

        closeBttn.setOnAction(e -> {
            stage.close();  // Close the stage curtain
        });
    }

    public static void main(String[] args) { launch(args); }
}

Excluding the fluff of importing the needed libraries and calling main, one can with nine to ten meaningful commands setup a window with a proper title and a button. Not only that, the button closes the window. Amazing! I also like using the play analogy because it gives the top to bottom logic of how Java operates to setup a window. In addition, Java uses HTML and CSS for styling windows. This is awesome because it adds another useful tool were one to get further along in learning all there is to know about tech. So what are your thoughts? Should schools teach kids in this order and with these selected languages? Comment below or Message me through email.

ITDominator’s Github Projects

ITDominator’s Github Projects

Github:
Github Cat Image
    This is my Github account. I have accumulated a good number of programs and repositories over the years. Though, much of it has now been setup in an archive repository since I no longer support the code. The ones not in the archive are my active projects and represent my current skill level barring proper try/catch handling which I am too lazy to implement at this time. Otherwise, they are my projects to improve my coding skills.

    PS – Yes, not all (probably most) properly meet OOP standards. This is a personal choice since I don’t want to create a number of files just to have code split up properly. One controller file suits my needs just fine at this time. Though, one or two will eventually get refactored and setup to meet OOP standards.

Redirect