Full Doc1

Combinatorial Approach for Preventing SQL
Injection Attacks
Abstract:
A combinatorial approach for protecting Web applications against SQL injection is discussed in this
paper, which is a novel idea of incorporating the uniqueness of Signature based method and auditing
method. The major issue of web application security is the SQL Injection, which can give the attackers
unrestricted access to the database that underlie Web applications.Many software systems have evolved to
include a Web-based component that makes them available to the public via the Internet and can expose
them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers
unrestricted access to the databases that underlie Web applications and has become increasingly frequent
and serious. This paper presents a new highly automated approach for protecting Web applications against
SQL injection that has both conceptual and practical advantages over most existing techniques. From a
conceptual standpoint, the approach is based on the novel idea of positive tainting and on the concept of
syntax-aware evaluation. From a practical standpoint, our technique is precise and efficient, has minimal
deployment requirements, and incurs a negligible performance overhead in most cases. We have
implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, which we used
to perform an empirical evaluation on a wide range of Web applications that we subjected to a large and
varied set of attacks and legitimate accesses. WASP was able to stop all of the otherwise successful attacks
and did not generate any false positives.
Objective
SQL injection techniques are an increasingly dangerous threat to the security of information
stored upon Oracle Databases. These techniques are being discussed with greater regularity on security
mailing lists, forums, and at conferences. There have been many good papers written about SQL Injection
and a few about the security of Oracle databases and software but not many that focus on SQL injection
and Oracle software. This is the first article in a two-part series that will examine SQL injection attacks
against Oracle databases. The objective of this series is to introduce Oracle users to some of the dangers of
SQL injection and to suggest some simple ways of protecting against these types of attack. SQL injection
techniques are an increasingly dangerous threat to the security of information stored upon Oracle
Databases. These techniques are being discussed with greater regularity on security mailing lists, forums,
and at conferences. There have been many good papers written about SQL Injection and a few about the
security of Oracle databases and software but not many that focus on SQL injection and Oracle software.
This is the first article in a two-part series that will examine SQL injection attacks against Oracle databases.
The objective of this series is to introduce Oracle users to some of the dangers of SQL injection and to
suggest some simple ways of protecting against these types of attack.
PLATFORM
A platform is the hardware or software environment in which a program runs. We’ve
already mentioned some of the most popular platforms like Windows 2000, Linux,
Solaris, and MacOS. Most platforms can be described as a combination of the operating
system and hardware. The Java platform differs from most other platforms in that it’s a
software-only platform that runs on top of other hardware-based platforms.
The Java platform has two components:
• The Java Virtual Machine (Java VM)
• The Java Application Programming Interface (Java API)
You’ve already been introduced to the Java VM. It’s the base for the Java platform and is
ported onto various hardware-based platforms.
The Java API is a large collection of ready-made software components that provide many
useful capabilities, such as graphical user interface (GUI) widgets. The Java API is
grouped into libraries of related classes and interfaces; these libraries are known as
packages. The next section, What Can Java Technology Do?, highlights what
functionality some of the packages in the Java API provide.
The following figure depicts a program that’s running on the Java platform. As the figure
shows, the Java API and the virtual machine insulate the program from the hardware.
Native code is code that after you compile it, the compiled code runs on a specific
hardware platform. As a platform-independent environment, the Java platform can be a
bit slower than native code. However, smart compilers, well-tuned interpreters, and just-
in-time bytecode compilers can bring performance close to that of native code without
threatening portability.
What Can Java Technology Do?

The most common types of programs written in the Java programming language are
applets and applications. If you’ve surfed the Web, you’re probably already familiar with
applets. An applet is a program that adheres to certain conventions that allow it to run
within a Java-enabled browser.
However, the Java programming language is not just for writing cute, entertaining applets
for the Web. The general-purpose, high-level Java programming language is also a
powerful software platform. Using the generous API, you can write many types of
programs.
An application is a standalone program that runs directly on the Java platform. A special
kind of application known as a server serves and supports clients on a network. Examples
of servers are Web servers, proxy servers, mail servers, and print servers. Another
specialized program is a servlet. A servlet can almost be thought of as an applet that runs
on the server side. Java Servlets are a popular choice for building interactive web
applications, replacing the use of CGI scripts. Servlets are similar to applets in that they
are runtime extensions of applications. Instead of working in browsers, though, servlets
run within Java Web servers, configuring or tailoring the server.
How does the API support all these kinds of programs? It does so with packages of
software components that provide a wide range of functionality. Every full
implementation of the Java platform gives you the following features:
• The essentials: Objects, strings, threads, numbers, input and output, data
structures, system properties, date and time, and so on.
• Applets: The set of conventions used by applets.
• Networking: URLs, TCP (Transmission Control Protocol), UDP (User
Data gram Protocol) sockets, and IP (Internet Protocol) addresses.
• Internationalization: Help for writing programs that can be localized
for users worldwide. Programs can automatically adapt to specific locales and be
displayed in the appropriate language.
• Security: Both low level and high level, including electronic signatures,
public and private key management, access control, and certificates.
• Software components: Known as JavaBeansTM, can plug into existing
component architectures.
• Object serialization: Allows lightweight persistence and communication
via Remote Method Invocation (RMI).
• Java Database Connectivity (JDBCTM): Provides uniform access to a
wide range of relational databases.
The Java platform also has APIs for 2D and 3D graphics, accessibility, servers,
collaboration, telephony, speech, animation, and more. The following figure depicts what
is included in the Java 2 SDK.
How Will Java Technology Change My Life?
We can’t promise you fame, fortune, or even a job if you learn the Java programming
language. Still, it is likely to make your programs better and requires less effort than
other languages. We believe that Java technology will help you do the following:
• Get started quickly: Although the Java programming language is a

powerful object-oriented language, it’s easy to learn, especially for programmers
already familiar with C or C++.
• Write less code: Comparisons of program metrics (class counts, method
counts, and so on) suggest that a program written in the Java programming
language can be four times smaller than the same program in C++.
• Write better code: The Java programming language encourages good
coding practices, and its garbage collection helps you avoid memory leaks. Its
object orientation, its JavaBeans component architecture, and its wide-ranging,
easily extendible API let you reuse other people’s tested code and introduce
fewer bugs.
• Develop programs more quickly: Your development time may be as
much as twice as fast versus writing the same program in C++. Why? You write
fewer lines of code and it is a simpler programming language than C++.
• Avoid platform dependencies with 100% Pure Java: You can keep
your program portable by avoiding the use of libraries written in other languages.
The 100% Pure JavaTM Product Certification Program has a repository of
historical process manuals, white papers, brochures, and similar materials online.
• Write once, run anywhere: Because 100% Pure Java programs are
compiled into machine-independent bytecodes, they run consistently on any Java
platform.
• Distribute software more easily: You can upgrade applets easily from a
central server. Applets take advantage of the feature of allowing new classes to
be loaded “on the fly,” without recompiling the entire program.
Java Server™ Pages
Java Server™ Pages is a simple, yet powerful technology for creating and maintaining
dynamic-content web pages. Based on the Java programming language, Java Server Pages offers
proven portability, open standards, and a mature re-usable component model.
The Java Server Pages architecture enables the separation of content generation from
content presentation. This separation not only eases maintenance headaches, it also allows web
team members to focus on their areas of expertise. Now, web page designers can concentrate on
layout, and web application designers on programming, with minimal concern about impacting
each other’s work.
Portability
Java Server Pages files can be run on any web server or web-enabled application server
that provides support for them. Dubbed the JSP engine, this support involves recognition,
translation, and management of the Java Server Page lifecycle and its interactions with associated
components.
The JSP engine for a particular server might be built-in or might be provided through a
rd
3 -party add-on. As long as the server on which you plan to execute the Java Server Pages
supports the same specification level as that to which the file was written, no changes should be
necessary as you move your files from server to server. Note, however, that instructions for the
setup and configuration of the files may differ between files.
To date, there has been no upwards- or backwards-compatibility between Java Server
Pages specifications. A Java Server Pages file written to the 0.92 specification can be run only on
a server supporting Java Server Pages 0.92. The same file could not run on a server supporting
only Java Server Pages 1.0 or Java Server Pages 0.91.
Composition
It was mentioned earlier that the Java Server Pages architecture can include reusable Java
components. The architecture also allows for the embedding of a scripting language directly into
the Java Server Pages file.
The components current supported include Java Beans, and Servlets. Support for
Enterprise Java Beans components will likely be added in a future release. As the default
scripting language, Java Server Pages use the Java programming language . This means that
scripting on the server side can take advantage of the full set of capabilities that the Java
programming language offers. Support for other scripting languages might become available in
the future.
Processing
A Java Server Pages file is essentially an HTML document with JSP scripting or tags. It
may have associated components in the form of .class, .jar, or .ser files—or it may not. The use of
components is not required.
The Java Server Pages file has a .jsp extension to identify it to the server as a Java Server Pages
file. Before the page is served, the Java Server Pages syntax is parsed and processed into a servlet
on the server side. The servlet that is generated outputs real content in straight HTML for
responding to the client. Because it is standard HTML, the dynamically generated response looks
no different to the client browser than a static response.
Access Models
A Java Server Pages file may be accessed in at least two different ways:
1. A client request comes directly into a Java Server Page.
In this scenario, suppose the page accesses reusable JavaBean components that perform
particular well-defined computations like accessing a database. The result of the Bean’s
computations, called result sets are stored wihtin the Bean as properties. The page uses
such Beans to generate dynamic content and present it back to the client.
2. A request comes through a servlet.
The servlet generates the dynamic content. To handle the response to the client, the
servlet creates a Bean and stores the dynamic content (sometimes called the result set) in
the Bean. The servlet then invokes a Java Server Page that will present the content along
with the Bean containing the generated from the servlet.
There are two APIs to support this model of request processing using Java Server Pages.
One API facilitates passing context between the invoking servlet and the Java Server
Page. The other API lets the invoking servlet specify which Java Server Page to use.
In both of the above cases, the page could also contain any valid Java code. The Java Server
Pages architecture encourages separation of content from presentation—it does not mandate it.
How to Choose Between Access Models

With at least two access models, the question naturally arises “When does it make sense to have a
Java Server Page as the front-end to a servlet, as the back-end to a servlet, or use only the servlet?
Here are some possible guidelines:
• If a graphical interface (GUI) is necessary to collect the request data—use a Java Server
Pages file.
• If the request and request parameters are otherwise available to the servlet, but the results
of the servlet processing requires a graphical interface to present them—use a Java Server
Pages file.
• If presentation layout is minimal (will not require very many println lines in your servlet
code) and you don’t need to make that presentation logic available to a customer or your
webpage designer, then a Servlet might suffice.
Using XML with JSP:
The Java Server Pages technology is an ideal way to describe processing of XML input
and output. Simple XML generation can be done by just writing the XML as static template
portions within the JSP. Dynamic generation will be done through JavaBeans components,
Enterprise JavaBeans components, or via custom tags that generate XML. Similarly, input XML
can be received from POST or QUERY arguments and then sent directly to JavaBeans
components, Enterprise JavaBeans components, or custom tags, or manipulated via the scripting.
There are two attributes of JSP that make it specially suited for describing XML processing. One
is that XML fragments can be described directly in the JSP text either as templates for input into
some XML-consuming component or as templates for output to be extended with some other
XML fragments. Another attribute is that the tag extension mechanism enables the creation of
specific tags and directives that are targeted at useful XML manipulation operations.
Future versions of the JSP specification will include several standard tags that will support XML
manipulation, including the transformation of the XML produced by the given JSP using
XTL/XSL.
Features in JSP 1.0

The JSP 1.0 specification has mandatory and optional features. JSP 1.0 enables a tag
extension mechanism for the creation of custom tags but such a mechanism will not appear until a
later version of the specification.
The JSP 1.0 specification includes:
• JSP standard directives
• JSP standard actions
• Script language declarations, Scriplets and expressions
A future version of the JSP specification will also add additional features to enhance the use of
JSP pages in a J2EE platform.
JavaBeans
The JavaBeans API makes it possible to write component software in the Java
programming language. Components are self-contained, reusable software units that can be
visually composed into composite components, applets, applications, and servlets using visual
application builder tools. JavaBean components are known as Beans.
Components expose their features (for example, public methods and events) to builder
tools for visual manipulation. A Bean’s features are exposed because feature names adhere to
specific design patterns. A “JavaBeans-enabled” builder tool can then examine the Bean’s
patterns, discern its features, and expose those features for visual manipulation. A builder tool
maintains Beans in a palette or toolbox. You can select a Bean from the toolbox, drop it into a
form, modify it’s appearance and behavior, define its interaction with other Beans, and compose
it and other Beans into an applet, application, or new Bean. All this can be done without writing a
line of code.
The following list briefly describes key Bean concepts,
• Builder tools discover a Bean’s features (that is, its properties, methods,
and events) by a process known as introspection. Beans support introspection in
two ways:
o By adhering to specific rules, known as design patterns, when
naming Bean features.
o By explicitly providing property, method, and event information
with a related Bean Information class.
• Properties are a Bean’s appearance and behavior characteristics that can
be changed at design time. Builder tools introspect on a Bean to discover its
properties, and expose those properties for manipulation.
• Beans expose properties so they can be customized at design time.
Customization is supported in two ways: By using property editors, or by using
more sophisticated Bean customizers.
• Beans use events to communicate with other Beans. A Bean that wants to
receive events (a listener Bean) registers its interest with the Bean that fires the
event (a source Bean). Builder tools can examine a Bean and determine which
events that Bean can fire (send) and which it can handle (receive).
• Persistence enables Beans to save and restore their state. Once you’ve
changed a Beans properties, you can save the state of the Bean and restore that
Bean at a later time, property changes intact. JavaBeans uses Java Object
Serialization to support persistence.
• A Bean’s methods are no different than Java methods, and can be called
from other Beans or a scripting environment. By default all public methods are
exported.
Although Beans are designed to be understood by builder tools, all key APIs, including
support for events, properties, and persistence, have been designed to be easily read and
understood by human programmers as well.
New JavaBeans Features

Here is a list of upcoming Beans and Beans-related features:
• The Java Activation Framework (JAF). The JAF is a data typing and
command registry API. With the JAF you can discover an arbitrary data object’s
type, and look command applications or Beans that can process that data type,
and activate the appropriate command at a user gesture. For example, a browser
can identify a file’s data type, and then launch the appropriate plug-in to view or
edit the file. The JAF is a Java standard extension.
• The Extensible Runtime Containment and Services Protocol, also
known as beancontext. Previous to this protocol a Bean only knew about and had
access to the Java Virtual Machine (JVM) in which the Bean ran, and the core
Java APIs. This protocol introduces a standard way for a Bean to discover and
access attributes or services provided by a Bean’s enclosing environment, and for
a Bean’s enclosing environment to discover and access a Bean’s attributes and
services. The java.beans.beancontext API introduces the ability to nest Beans and
Bean contexts within a hierarchical structure. At runtime, a Bean can obtain
services from its containing enviroment; the Bean can then make use of those
services, or propagate those services to any Beans that it contains.
• Drag and Drop Support. The java.awt.dnd API provides support for
drag and drop between Java applications and native platform applications.
Databases and the Web

Databases are at the root of all business computing today. At some point, you are going to
want to integrate a company database with your Web site. On the other hand, perhaps when you
have a large Web site, you will want to create a database that will let clients search the text of
your HTML files.
There are several ways to achieve database and Web site integration. Lets concentrate on
ODBC and JDBC.
ODBC
Microsoft Open Database Connectivity (ODBC) is a standard programming interface for
application developers and database systems providers. Before ODBC became a de facto standard
for Windows programs to interface with database systems, programmers had to use proprietary
languages for each database they wanted to connect to. Now, ODBC has made the choice of the
database system almost irrelevant from a coding perspective, which is as it should be. Application
developers have much more important things to worry about than the syntax that is needed to port
their program from one database to another when business needs suddenly change.
Through the ODBC Administrator in Control Panel, you can specify the particular
database that is associated with a data source that an ODBC application program is written to use.
Think of an ODBC data source as a door with a name on it. Each door will lead you to a
particular database. For example, the data source named Sales Figures might be a SQL Server
database, whereas the Accounts Payable data source could refer to an Access database. The
physical database referred to by a data source can reside anywhere on the LAN.
The ODBC system files are not installed on your system by Windows 95. Rather, they
are installed when you setup a separate database application, such as SQL Server Client or Visual
Basic 4.0. When the ODBC icon is installed in Control Panel, it uses a file called
ODBCINST.DLL. It is also possible to administer your ODBC data sources through a stand-
alone program called ODBCADM.EXE. There is a 16-bit and a 32-bit version of this program,
and each maintains a separate list of ODBC data sources.
From a programming perspective, the beauty of ODBC is that the application can be
written to use the same set of function calls to interface with any data source, regardless of the
database vendor. The source code of the application doesn’t change whether it talks to Oracle or
SQL Server. We only mention these two as an example. There are ODBC drivers available for
several dozen popular database systems. Even Excel spreadsheets and plain text files can be
turned into data sources. The operating system uses the Registry information written by ODBC
Administrator to determine which low-level ODBC drivers are needed to talk to the data source
(such as the interface to Oracle or SQL Server). The loading of the ODBC drivers is transparent
to the ODBC application program. In a client/server environment, the ODBC API even handles
many of the network issues for the application programmer.
The advantages of this scheme are so numerous that you are probably thinking there must
be some catch. The only disadvantage of ODBC is that it isn’t as efficient as talking directly to
the native database interface. ODBC has had many detractors make the charge that it is too slow.
Microsoft has always claimed that the critical factor in performance is the quality of the driver
software that is used. In our humble opinion, this is true. The availability of good ODBC drivers
has improved a great deal recently. And anyway, the criticism about performance is somewhat
analogous to those who said that compilers would never match the speed of pure assembly
language. Maybe not, but the compiler (or ODBC) gives you the opportunity to write cleaner
programs, which means you finish sooner. Meanwhile, computers get faster every year.
JDBC
In an effort to set an independent database standard API for Java, Sun Microsystems
developed Java Database Connectivity, or JDBC. JDBC offers a generic SQL database access
mechanism that provides a consistent interface to a variety of RDBMSs. This consistent interface
is achieved through the use of “plug-in” database connectivity modules, or drivers. If a database
vendor wishes to have JDBC support, he or she must provide the driver for each platform that the
database and Java run on.
To gain a wider acceptance of JDBC, Sun based JDBC’s framework on ODBC. As you
discovered earlier in this chapter, ODBC has widespread support on a variety of platforms.
Basing JDBC on ODBC will allow vendors to bring JDBC drivers to market much faster than
developing a completely new connectivity solution.
JDBC was announced in March of 1996. It was released for a 90 day public review that
ended June 8, 1996. Because of user input, the final JDBC v1.0 specification was released soon
after.
The remainder of this section will cover enough information about JDBC for you to know what it
is about and how to use it effectively. This is by no means a complete overview of JDBC. That
would fill an entire book.
JDBC Goals
Few software packages are designed without goals in mind. JDBC is one that, because of
its many goals, drove the development of the API. These goals, in conjunction with early
reviewer feedback, have finalized the JDBC class library into a solid framework for building
database applications in Java.
The goals that were set for JDBC are important. They will give you some insight as to why
certain classes and functionalities behave the way they do. The eight design goals for JDBC are
as follows:
1. SQL Level API
The designers felt that their main goal was to define a SQL interface for Java. Although
not the lowest database interface level possible, it is at a low enough level for higher-
level tools and APIs to be created. Conversely, it is at a high enough level for application
programmers to use it confidently. Attaining this goal allows for future tool vendors to
“generate” JDBC code and to hide many of JDBC’s complexities from the end user.
2. SQL Conformance
SQL syntax varies as you move from database vendor to database vendor. In an effort to
support a wide variety of vendors, JDBC will allow any query statement to be passed
through it to the underlying database driver. This allows the connectivity module to
handle non-standard functionality in a manner that is suitable for its users.
3. JDBC must be implemental on top of common database interfaces
The JDBC SQL API must “sit” on top of other common SQL level APIs. This goal
allows JDBC to use existing ODBC level drivers by the use of a software interface. This
interface would translate JDBC calls to ODBC and vice versa.
4. Provide a Java interface that is consistent with the rest of the Java system
Because of Java’s acceptance in the user community thus far, the designers feel that they
should not stray from the current design of the core Java system.
5. Keep it simple
This goal probably appears in all software design goal listings. JDBC is no exception.
Sun felt that the design of JDBC should be very simple, allowing for only one method of
completing a task per mechanism. Allowing duplicate functionality only serves to
confuse the users of the API.
6. Use strong, static typing wherever possible
Strong typing allows for more error checking to be done at compile time; also, less errors
appear at runtime.
7. Keep the common cases simple
Because more often than not, the usual SQL calls used by the programmer are simple
SELECT’s, INSERT’s, DELETE’s and UPDATE’s, these queries should be simple to
perform with JDBC. However, more complex SQL statements should also be possible.
Overview of Servlets
Servlets are modules that extend request/response-oriented servers, such as Java-
enabled web servers. For example, a servlet might be responsible for taking data in an
HTML order-entry form and applying the business logic used to update a company’s
order database.
Servlets are to servers what applets are to browsers. Unlike applets, however,
servlets have no graphical user interface.
Servlets can be embedded in many different servers because the servlet API,
which you use to write servlets, assumes nothing about the server’s environment or
protocol. Servlets have become most widely used within HTTP servers; many web
servers support Java Servlet technology.
The Servlet Life Cycle

Each servlet has the same life cycle:
• A server loads and initializes the servlet
• The servlet handles zero or more client requests
• The server removes the servlet
(some servers do this step only when they shut down)
Initializing a Servlet
When a server loads a servlet, the server runs the servlet’s init method.
Initialization completes before client requests are handled and before the servlet is
destroyed.
Even though most servlets are run in multi-threaded servers, servlets have no
concurrency issues during servlet initialization. The server calls the init method once,
when the server loads the servlet, and will not call the init method again unless the server
is reloading the servlet. The server can not reload a servlet until after the server has
destroyed the servlet by running the destroy method.
Interacting with Clients
After initialization, the servlet is able to handle client requests. This part of the servlet life
cycle was handled in the previous lesson.
Destroying a Servlet
Servlets run until the server destroys them, for example, at the request of a
system administrator. When a server destroys a servlet, the server runs the servlet’s
destroy method. The method is run once; the server will not run the destroy method again
until after the server reloads and reinitializes the servlet.
When the server calls the destroy method, another thread might be running a
service request. The Handling Service Threads at Servlet Termination lesson shows you
how to provide a clean shutdown when there could be long-running threads still running
service requests.
Use Servlets instead of CGI Scripts!

Servlets are an effective replacement for CGI scripts. They provide a way to
generate dynamic documents that is both easier to write and faster to run. Servlets also
address the problem of doing server-side programming with platform-specific APIs: they
are developed with the Java Servlet API, a standard Java extension.
So use servlets to handle HTTP client requests. For example, have servlets
process data POSTed over HTTPS using an HTML form, including purchase order or
credit card data. A servlet like this could be part of an order-entry and processing system,
working with product and inventory databases, and perhaps an on-line payment system.
Other Uses for Servlets
Here are a few more of the many applications for servlets:
• Allowing collaboration between people. A servlet can handle multiple
requests concurrently, and can synchronize requests. This allows servlets to
support systems such as on-line conferencing.
• Forwarding requests. Servlets can forward requests to other servers and
servlets. Thus servlets can be used to balance load among several servers that
mirror the same content, and to partition a single logical service over several
servers, according to task type or organizational boundaries.
HARDWARE SPECIFICATION
Processor : Any Processor above 500 MHz.

Ram : 128Mb.
Hard Disk : 10 GB.
Input device : Standard Keyboard and Mouse.
Output device : VGA and High Resolution Monitor.
SOFTWARE SPECIFICATION
Operating System : Windows Family.

Pages developed using : Java Server Pages and HTML.
Techniques : Apache Tomcat Web Server 5.0, JDK 1.5 or higher
Web Browser : Microsoft Internet Explorer.
Data Bases : SQlServer 2000
Client Side Scripting : Java Script
List of Tables
Login table
sno Field name Type size

1 Account number varchar 50
2 password varchar 50
Customerdetails

1 name varchar 50
2 dob varchar 50
3 age varchar 50
4 gender varchar 50
5 address varchar 50
6 occupation varchar 50
7 acctype varchar 50
8 contactnumber varchar 50
9 Accountnumber varchar 50
10 amount varchar 50
11 password varchar 50
12 cpassword varchar 50
Creditcard

1 Account number varchar 50
2 Password varchar 50
3 Amount Varchar 50
List of Figures
Data flow
System arc:
Class diagram:
Cerdit Card
CreditProcess
Accnumber()
Bill process()
Password()
dit
cre
cre
CustomerHome
Customer Login
dit
Database
Accnumber()
User details()
password() customer customer
Transaction()
check()
update()
delete()
insert()
in
Adm Admin Home
Admin Ad Reistration()
mi transation()
n
customer details()
username() Amount credit()
password()
Sequence diagram:
WASP
Login DataBase
account number
password Not Injected
admin or Customer
Invalid Account number

password injected
Admin module:
name
age
gender
occupaiton
Registration .
.
.
Admin module Registration
Transaction
view the tarnsaction details
No injected
Injected
WASP
Customer details
Edit the customer detials
Amount credit
username
&
Credit the amount to user
password
name
Customer module age
gender
.
.
.
injected
No injection View The Details

WASP
Tarnsaction
user accno
amount
Login
Username & transaction accno
Password
Credit Card
Injection
No Injection
WASP Bill process
Username &
password
Loan
Loan details
Modules
1.Admin
2.Customer
3.Credit Card
4.Loans
1. Admin:
Login in:
To access our site ever person must login in that page it have account number and password .the
admin must enter his account number and password that values is checked in the data base weather the
give values in correct if the give value is correct means is show the next page other wise it return to login
page with error message (Invalid account number and password ) .This is normal procedure but the user
can login with out his password by injecting the SQLQuery so to solve this problem we develop the
tool(WASP) to find the user input is valid data or not .that tool contain a technique is positive tainting and
syntax-awareness .it check wither the inputs is injected the present query or not .If the present value is
inject the query means that tool doesn’t send the data
To the SQL Query .if the data is good means it send the data to the database through the sqlquery.
To invoke the WASP tool the user want to click any one of radio button in the login page .once you
click it check’s full project
After the admin login success admin have the sub modules .in our project we checked all the
data’s weather the give data is correct or not then we send the data to the database. sub modules
follows…..
New Registration:
After the admin login successfully the first sub modules is registration module. In this module
admin enter the new user details ie.name, address, occupation, type of account… account number ,pin
number and amount. by the use of the account number and pin only customer login in his module .before
the data insert into data base it check weather the account is available or not then it insert the data .
Before the given values going to the query the WASP tool check weather the
given data is injecting the present query or not .if it injected the query it not send the value to data base and
return to the same page with message your value is invalid.
Transaction:
This is the second module of admin module in this admin can view only the transaction
details .in that page it shows user details that’s are sender name, data and time,reciver name, account
number, amount you send it
Customer details:
This is the third module of the admin in this module in show the customer details. This module
is use to edit some details of the particular customer. In this module it show all the customer details who are
all in our bank when you want to delete or edit the particular customer details click his name and it show
the all the details of the that customer admin go and edit the particular field which we want to edit and press
the update button
To delete the customer details select the customer name which you want to delete and press the
delete option it delete the full detail of the customer.
Before the given values going to the query the WASP tool check weather the given data
is injecting the present query or not .if it injected the query it not send the value to data base and return to
the same page with message your value is invalid.
Amount credit:
This is the last module of the admin.In that module admin enter the amount the his account manually
.admin click the links in show the page it contain account number field and amount field so admin enter
the correct account number and amount and press the enter button the amount is added in that customer
account .Before the given values going to the query the WASP tool check weather the given data is
injecting the present query or not .if it injected the query it not send the value to data base and return to the
same page with message your value is invalid.
2. Customer:
This module customer can view his details and change the password and send the amount to
another account. To process this he/she must login by his account number and password. This module has
two sub-modules.
Login in:
customer must enter his account number and password that values is checked in the data base weather the
can login with out his password by injecting the Sqlquery so to solve this problem we develop the
To invoke the WASP tool the user wants to click any one of radio button in the login page .once
you click it check’s full project
After the customer login success admin have the sub modules .in our project we checked all
the data’s weather the give data is correct or not then we send the data to the database. Sub modules
follow…..
Customer details:
This is the first module of the customer in this module customer can
Change his password of his account because admin only create his account and pin number it was known to
the admin in not safe so we want to change the pin number .the customer can have access to change it pin
number only .before the value going to sqlquery the WASP tool check each given data is good or not ie
weather it injected the present query or not .
Transaction:
In this module the customer can send the amount from his account to another account if that
sending amount is available or not .to send the amount the customer must login and move to the transaction
module and type the account number and amount which we want to send and press the enter button .before
the value send to the database the WASP tool invoke and check the given data is injected the present
SQLQuery or not .then only it was send to database.
3. Credit card:
Login in:
customer must enter his account number and password that values is checked in the data base weather the
can login with out his password by injecting the Sqlquery so to solve this problem we develop the
To invoke the WASP tool the user wants to click any one of radio button in the login page .once
you click it check’s full project
In this module customer can bay the bill to his due by login in this credit card
account, it have one sub-module
Bill credit:
After the customer login successfully it show the sub module in that module
The customer can pay his bills through his card .in our project we set two option to pay the bill one is
electric bill another bill is cell phone bill. when we click bill links to show the current account balance and
we can pay the bill and the particular amount his reduce in his own account.
Before the given values going to the query the WASP tool check
weather the given data is injecting the present query or not .if it injected the query it not send the value to
data base and return to the same page with message your value is invalid.
4. Loans
In this module viewer can see what the loans available in this bank are and get the details of the
loans. This module can see any one who accessing the application
Problem Analysis:
Over the past several years, attackers have developed a wide array of sophisticated attack techniques
that can be used to exploit SQL injection vulnerabilities. These techniques go beyond the well-known
SQLIA examples and take advantage of esoteric and advanced SQL constructs. Ignoring the existence of
these kinds of attacks leads to the development of solutions that only partially address the SQLIA problem.
For example, developers and researchers often assume that SQLIAs are introduced only via user input that
is submitted as part of a Web form. This assumption misses the fact that any external input that is used to
build a query string may represent a possible channel for SQLIAs. In fact, it is common to see other
external sources of input such as fields from an HTTP cookie or server variables used to build a query.
Since cookie values are under the control of the user’s browser and server variables are often set using
values from HTTP headers, these values are actually external strings that can be manipulated by an
attacker. In addition, second-order injections use advanced knowledge of vulnerable applications to
introduce attacks by using otherwise properly secured input sources . A developer may suitably escape,
typecheck, and filter input that comes from the user and assume that it is safe. Later on, when that data is
used in a different context or to build a different type of query, the previously safe input may enable an
injection attack. Once attackers have identified an input source that can be used to exploit SQLIA
vulnerability, there are many different types of attack techniques that they can leverage. Depending on the
type and extent of the vulnerability, the results of these attacks can include crashing the database, gathering
information about the tables in the database schema, establishing covert channels, and open-ended injection
of virtually any SQL command. Here, we summarize the main techniques for performing SQLIAs. We
provide additional information and examples of how these techniques work in.
Web Application SQL-injection Preventer(WASP)
WEB applications are applications that can be accessed over the Internet by using any compliant
Web browser that runs on any operating system and architecture. They have become ubiquitous due to the
convenience, flexibility, availability, and interoperability that they provide. Unfortunately, Web
applications are also vulnerable to a variety of new security threats. SQL Injection Attacks (SQLIAs) are
one of the most significant of such threats . SQLIAs have become increasingly frequent and pose
Very serious security risks because they can give attackers unrestricted access to the databases that underlie
Web applications. ….In Web Application database it contains
Personal information about the customer. One way in which this happens is that
attackers can submit input strings that contain specially encoded database When the Web application builds
a query by using these strings and submits the query
to its underlying database, the attacker’s embedded commands are executed by the database and the attack
succeeds. The results of these attacks are often disastrous
and can range from leaking of sensitive this is called as SQL-Injection Attacks(SQLIAs).
To avoid this we use a new techniques is called WASP.
Existing System:
In existing the checked only the untrusted data dynamic tainting approaches mark certain untrusted
data (typicallyuser input) as tainted, track the flow of tainted data at runtime, and prevent this data
from being used in potentially harmful ways
Researchers have proposed a wide range of alternative techniques to address SQLIAs, but many of these
solutions have limitations that affect their effectiveness and practicality. For example, one common class of
solutions is based on defensive coding practices, which have been less than successful for three main
reasons. First, it is difficult to implement and enforce a rigorous defensive coding discipline. Second, many
solutions based on defensive coding address only a subset of the possible attacks. Third, legacy software
poses particularly difficult problem because of the cost and complexity of retrofitting existing code so that
it is compliant with defensive coding practices .In this paper, we propose a new highly automated approach
for dynamic detection and prevention of SQLIAs. Intuitively, our approach works by identifying “trusted”
strings in an application and allowing only these trusted strings to be used to create the semantically
relevant parts of a SQL query such as keywords or operators. The general mechanism that we use to
implement this approach is based on dynamic tainting, which marks and tracks certain data in a program at
run time .The kind of dynamic tainting that we use gives our approach several important advantages over
techniques based on other mechanisms. Many techniques rely on complex static analyses in order to find
potential vulnerabilities in the code These kinds of conservative static analyses can generate high rates of
false positives and can have scalability issues when Compared to other existing techniques based on
dynamic tainting our approach makes several conceptual and practical improvements that take advantage of
the specific characteristics of SQLIAs. The first conceptual advantage of our approach is the use of positive
tainting. Positive tainting identifies and tracks trusted data, whereas traditional (“negative”) tainting focuses
on untrusted data. In the context of SQLIAs, there are several reasons why positive tainting is more
effective than negative tainting. First, in Web applications, sources of trusted data can more easily and
accurately be identified than untrusted data sources. Therefore, the use of positive tainting leads to
increased automation. Second, the two approaches significantly differ in how they are affected by
incompleteness. With negative tainting, failure to identify th e complete set of untrusted data sources can
result in false negatives, that is, successful and undetected attacks. With positive tainting, missing trusted
data sources can result in false positives (that is, legitimate accesses can be prevented from completing).
False positives that occur in the field would be problematic. Using our approach, however, false positives
are likely to be detected during prerelease testing. Our approach provides specific mechanisms for helping
developers detect false positives early, identify their sources, and easily eliminate them in future runs by
tagging the identified sources as trusted. The second conceptual advantage of our approach is the use of
flexible syntax-aware evaluation. Syntax-aware evaluation lets us address security problems that are
derived from mixing data and code while still allowing for this mixing to occur. More precisely, it gives
developers a mechanism for regulating the usage of string data based not only on its source but also on its
syntactical role in a query string. This way, developers can use a wide range of external input sources to
build queries while protecting the application from possible attacks introduced via these sources. The
practical advantages of our approach are that it imposes a low overhead on the application and it has
minimal
deployment requirements. Efficiency is achieved by using a specialized library, called MetaStrings, that
accurately and efficiently assigns and tracks trust markings at runtime. The only deployment requirements
for our approach are that the Web application must be instrumented and it must be deployed with our
MetaStrings library, which is done automatically. The approach does not require any customized runtime
system or additional infrastructure.
Disadvantage:
First, it is difficult to implement and enforce a rigorous defensive coding discipline
Second, many solutions based on defensive coding address only a subset of the possible attacks.
Third, legacy software poses a particularly difficult problem because of the cost and complexity of
retrofitting existing code so that it is compliant with defensive coding practices
Proposed System:
First, unlike existing dynamic tainting techniques, our approach is based on the novel concept of
positive tainting, that is, the identification and marking of trusted, instead of untrusted
Second, our approach performs accurate and efficient taint propagation by precisely tracking trust
markings at the character level.
Third, it performs syntax-aware evaluation of query strings before they are sent to the database and
blocks all queries whose nonliteral parts
Advantage:
In this it contains three techniques by use of this technique we can find the injection data’s and send
the correct query to the sqlserver.
1. Positive-Tainting
2. Character-level tainting.
3. Syntax aware
Positive-Tainting:
Positive tainting differs from traditional tainting (hereafter, negative tainting) because it is based on the
identification, marking, and tracking of trusted, rather than untrusted, data. This conceptual difference has
significant implications for the effectiveness of our approach, in that it helps address problems caused by
incompleteness in the identification of relevant data to be marked. Incompleteness, which is one of the
major challenges when implementing a security technique based on dynamic tainting, has very different
consequences in negative and positive tainting. In the case of negative tainting, incompleteness leads to
trusting data that should not be trusted and, ultimately, to false negatives. Incompleteness may thus leave
the application vulnerable to attacks and can be very difficult to detect, even after attacks actually occur,
because they may go completely unnoticed. With positive tainting, incompleteness may lead to false
positives, but it would never result in an SQLIA escaping detection. Moreover, as explained in the
following, the false positives generated by our approach, if any, are likely to be detected and easily
eliminated early during prerelease testing. Positive tainting uses a white-list, rather than a black-list, policy
and follows the general principle of fail-safe defaults, as outlined by Saltzer and Schroeder : In case of
incompleteness, positive tainting fails in a way that maintains the security of the system. shows a graphical
depiction of this fundamental difference between negative and positive tainting. In the context of
preventing SQLIAs, the conceptual advantages of positive tainting are especially significant. The way in
which Web applications create SQL commands makes the identification of all untrusted data especially
problematic and, most importantly, the identification of most trusted data relatively straightforward. Web
applications are deployed in many different configurations and interface with a wide range of external
systems. Therefore, there are often many potential external untrusted sources of input to be considered for
these applications, and enumerating all of them is inherently difficult and error prone. For example,
developers initially assumed that only direct user input needed to be marked as tainted. Subsequent exploits
demonstrated that additional input sources such as browser cookies and uploaded files also needed to be
considered. However, accounting for these additional input sources did not completely solve the problem
either. Attackers soon realized the possibility of leveraging local server variables and the database itself as
injection sources . In general, it is difficult to guarantee that all potentially harmful data sources have been
considered and even a single unidentified source could leave the application vulnerable to attacks. The
situation is different for positive tainting because identifying trusted data in a Web application is often
straightforward and always less error prone. In fact, in most cases, strings hard-coded in the application by
developers represent the complete set of trusted data for a Web application.1 This is because it is common
practice for developers to build SQL commands by combining hardcoded strings that contain SQL
keywords or operators with user-provided numeric or string literals. For Web applications developed this
way, our approach accurately and automatically identifies all SQLIAs and generates no false positives. Our
basic approach, as explained in the following
sections, automatically marks as trusted all hard-coded strings in the code and then ensures that all SQL
keywords and operators are built using trusted data. In some cases, this basic approach is not enough
because developers can also use external query fragments partial SQL commands that come from external
input sources to build queries. Because these string fragments are not hard coded in the application, they
would not be part of the initial set of trusted data identified by our approach and the approach would
generate false positives when the string fragments are used in a query. To account for these cases, our
technique provides developers with a mechanism for specifying sources of external data that should be
trusted. The data sources can be of various types such as files, network connections, and server variables.
Our approach uses this information to mark data that comes from these additional sources as trusted .In a
typical scenario, we expect developers to specify
most of the trusted sources before testing and deployment .However, some of these sources might be
overlooked until after a false positive is reported, in which case, developers would add the omitted items to
the list of trusted sources. In this process, the set of trusted data sources monotonicallygrows and eventually
converges to a complete set that produces no false positives. It is important to note that false positives that
occur after deployment would be due to the use of external data sources that have never been used during
in-house testing. In other words, false positives are likely to occur only for totally untested parts of
applications. Therefore, even when developers fail to completely identify additional sources of trusted data
beforehand, we expect these sources to be identified during normal testing and the set of trusted data to
quickly converge to the complete set .It is also worth noting that none of the subjects that we collected and
examined so far required us to specify additional trusted data sources. All of these subjects used only hard-
coded strings to build query strings.
Character level :
We track taint information at the character level rather than at the string level. We do this because, for
building SQL queries, strings are constantly broken into substrings, manipulated, and combined. By
associating taint information to single characters, our approach can precisely model the effect of these
string operations. Another alternative would be to trace taint data at the bit level, which would allow us to
account for situations where string data are manipulated as character values using bitwise operators.
However, operating at the bit level would make the approach considerably more expensive and complex to
implement and deploy. Most importantly, our experience with Web applications shows that working at a
finer level of granularity than a character would not yield any benefit in terms of effectiveness.Strings are
typically manipulated using methods provided by string library classes and we have not encountered any
case of query strings that are manipulated at the bit level .Accounting for string manipulations. To
accurately maintain character-level taint information, we must identify all relevant string operations and
account for their effect on the taint markings (that is, we must enforce complete mediation of all string
operations). Our approach achieves this goal by taking advantage of the encapsulation offered by object
oriented languages, in particular by Java, in which all string manipulations are performed using a small set
of classes and methods. Our approach extends all such classes and methods by adding functionality to
update taint markings based on the methods’ semantics.
Syntax-Aware:
Aside from ensuring that taint markings are correctly created and maintained during execution, our
approach must be able to use the taint markings to distinguish legitimate from malicious queries. Simply
forbidding the use of untrusted data in SQL commands is not available solution because it would flag any
query that contains user input as an SQLIA, leading to many false positives. To address this shortcoming,
researchers have introduced the concept of declassification, which permits the use of tainted input as long
as it has been processed by a sanitizing function. (A sanitizing function is typically a filter that performs
operations such as regular expression matching or substring replacement.) The idea of declassification is
based on the assumption that sanitizing functions are able to eliminate or neutralize harmful parts of the
input and make the data safe. However, in practice, there is no guarantee that the checks performed by a
sanitizing function are adequate. Tainting approaches based on declassification could therefore generate
false negatives if they mark as trusted supposedly sanitized data that is actually still harmful. Moreover,
these approaches may also generate false positives in cases where un sanitized but perfectly legal input is
used within a query .Syntax-aware evaluation does not rely on any (potentially unsafe) assumptions about
the effectiveness of sanitizing functions used by developers. It also allows for the use of un trusted input
data in a SQL query as long as the use of such data does not cause an SQLIA. The key feature of syntax
aware evaluation is that it considers the context in which trusted and un trusted data is used to make sure
that all parts of a query other than string or numeric literals (for example, SQL keywords and operators)
consist only of trusted characters. As long as un trusted data is confined to literals, we are guaranteed that
no SQLIA can be performed .Conversely, if this property is not satisfied (for example, if a SQL operator
contains characters that are not marked as trusted),we can assume that the operator has been injected by an
attacker and identify the query as an attack. Our technique performs syntax-aware evaluation of a query
string immediately before the string is sent to the database to be executed. To evaluate the query string, the
technique first uses a SQL parser to break the string into a sequence of tokens that correspond to SQL
keywords, operators, and literals. The technique then iterates through the tokens and checks whether tokens
(that is, substrings) other than literals contain only trusted data. If all such tokens pass this check, the query
is considered safe and is allowed to execute. If an attack is detected, a developer specified action can be
invoked. As discussed in Section 3.1, this approach can also handle cases where developers use external
query fragments to build SQL commands. In these cases, developers would specify which external
Consider the malicious query, where the attacker submits “admin’ – –” as the login and “0” as the pin.
shows the sequence of tokens for the resulting query, together with the trust markings. Recall that “– –” is
the
SQL comment operator, so everything after this is identified by the parser as a literal. In this case, the Meta
Checker would find that the last two tokens, ’ and __ , contain un trusted characters. It would therefore
identify the query as an SQLIA.
CONCLUSION
This paper presented a novel highly automated approach for protecting Web applications from
SQLIAs. Our approach consists of
1) Identifying trusted data sources and marking data coming from these sources as trusted,
2) Using dynamic tainting to track trusted data at runtime, and
3) Allowing only trusted data to form the semantically relevant parts of queries such as SQL
keywords and operators.
Unlike previous approaches based on dynamic tainting, our technique is based on positive
tainting, which explicitly identifies trusted (rather than untrusted) data in a program. This way,
we eliminate the problem of false negatives that may result from the incomplete identification of
all untrusted data sources. False positives, although possible in some cases, can typically be easily
eliminated during testing. Our approach also provides practical advantages over the many
existing techniques whose application requires customized and complex runtime environments: It
is defined at the application level, requires no modification of the runtime system, and imposes a
low execution overhead.
Future Enhancement:
In this paper we find the sql injection only in the login process, they don’t care about
other process in the application after he/she sign in to application they can inject any where in
the application so we want to check the full application by using wasp , before the data going to
query we want to check the each data by use of WASP and find the injected query before going
to the database for the full application , so our future work is to check the full application with
WASP.
SAMPLE CODE:
Database.java
package DataBase;
import java.sql.*;
import java.util.*;
public class database {
private Statement st=null;
private ResultSet rs=null;
private Connection con=null;
private String billupdate;
private String amountcredit;
private String tarninsert;
private String customertarns;
private String insert;
private String tableName;
private String update;
private String modify;
public String query;
private String newReg;
public database()
{
try{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
Connection
con=DriverManager.getConnection("jdbc:odbc:injection");
st=con.createStatement();
catch(SQLException e)
{
e.printStackTrace();
}
catch(ClassNotFoundException e)
{
}
}
public String getTableName() {

return tableName;
}
public void setTableName(String tableName) {
System.out.println("table name " +tableName);
this.tableName = tableName;
}
public String check(String accNumber,String password) throws
SQLException
{
try {
String result="";
int flag=0;
query="select * from "+ tableName + " where
accountnumber="+accNumber+" AND password='"+password+"'";
System.out.println("dsdsdsdsd "+query);
rs=st.executeQuery(query);
while(rs.next())
{
flag=1;
System.out.println("wwwwwhile loop");
}
if(flag==1)
{
System.out.println("in if block");
result="sucess";
}
else
{
System.out.println("wwewewe");
result="failure";
}
System.out.println( "data class " +result);
return result;
}
catch(Exception e)
{
return "failure";
}
}
//usercheck
public String usercheck(String accNumber,String password) throws
SQLException
{
try {
String result="";
int flag=0;
query="select * from "+ tableName + " where
accountnumber='"+accNumber+"' AND password='"+password+"'";
System.out.println("dsdsdsdsd "+query);
rs=st.executeQuery(query);
while(rs.next())
{
flag=1;
System.out.println("wwwwwhile loop");
}
if(flag==1)
{
System.out.println("in if block");
result="sucess";
}
else
{
System.out.println("wwewewe");
result="failure";
}
System.out.println( "data class " +result);
return result;
}
catch(Exception e)
{
return "failure";
}
}
public String getInsert() {
return insert;
}
public void setInsert(Vector v) throws SQLException {
String values="";
System.out.println(v.size()-1);
int i;
for( i=0;i<v.size()-1;i++)
{
values=values + "'" + v.get(i)+ "',";

}
if(i<=v.size()-1)
{
values=values + "'" + v.get(i)+ "'";
}
try{
System.out.println(values);
String query="insert into "+tableName+" values
("+values+")";
System.out.println(query);
st.executeUpdate(query);
System.out.println("after exceuted");
insert="sucess";
this.insert = insert;
}
catch(Exception e)
{
insert="failure";
}
}
public String getUpdate() {
return update;
}
public void setUpdate(String password,String cpassword,String

accountnumber) throws SQLException {
try{
String query="update "+tableName+" set
password="+password+",cpassword='"+cpassword+"' where
accountnumber='"+accountnumber+"'" ;
st.executeUpdate(query) ;
System.out.println("after executed");
update="sucess";
this.update =update;
}
catch(Exception e)
{
update="failure";
}
public String getBillupdate() {

return billupdate;
}
public void setBillupdate(String accountnumber,String amount)

throws SQLException {
try{
String query="update creditcard set amount="+amount+" where
accountnumber="+accountnumber;
System.out.println("executed sucessfully the billupdate");
this.billupdate ="sucess";
}
catch(Exception e)
{
billupdate="failure";
}
}
public String getModify() {

return modify;
}
public void setModify(Vector v) throws SQLException {

try{
String query="update customerdetails set
name='"+v.get(0)+"',dob='"+v.get(1)+"',age='"+v.get(2)+"',gender='"+v.g
et(3)+"',address='"+v.get(4)+"',occupation='"+v.get(5)+"',acctype='"+v.
get(6)+"',contactnumber='"+v.get(7)+"',accountnumber='"+v.get(8)+"',amo
unt='"+v.get(9)+"',password='"+v.get(10)+"',cpassword='"+v.get(11)+"'
where accountnumber='"+v.get(8)+"'";
System.out.println("modify query " + query);
System.out.println("executed sucessfully");
this.modify = "sucess";
}
catch(Exception e)
{
modify="failure";
}
}
public String getAmountcredit() {

return amountcredit;
}
public void setAmountcredit(String accountnumber,String

amountcredit) throws SQLException {
try{
String query="update customerdetails set
amount="+amountcredit+" where accountnumber='"+accountnumber+"' ";
System.out.println("amountcredit query " + query);
System.out.println("amountcredit query iiiii" );
this.amountcredit ="sucess";
}
catch(Exception e)
{
amountcredit="failure";
}
}
public String getTarninsert() {

return tarninsert;
}
public void setTarninsert(String tarninsert) throws SQLException {

try{
st.executeUpdate(tarninsert);
this.tarninsert ="sucess";
}
catch(Exception e)
{
}
}
public String getCustomertarns() {

return customertarns;
}
public void setCustomertarns(String customertarns) {

this.customertarns = customertarns;
}
public String getNewReg() {

return newReg;
}
public void setNewReg(Vector v,String acc) throws SQLException {
rs=st.executeQuery("select * from customerdetails where

accountnumber='"+acc+"'");
if(rs.next())
{
newReg="exist";
}
else
{
String values="";
System.out.println(v.size()-1);
int i;
for( i=0;i<v.size()-1;i++)
{
values=values + "'" + v.get(i)+ "',";

}
if(i<=v.size()-1)
{
values=values + "'" + v.get(i)+ "'";
}
System.out.println(values);
String query="insert into "+tableName+" values
("+values+")";
System.out.println("after exceuted");
newReg="sucess";
this.newReg = newReg;
}
}
}
BillprocessAction.java
/*
* Generated by MyEclipse Struts
* Template path: templates/java/JavaClass.vtl
*/
package com.yourcompany.struts.action;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.sql.SQLException;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
import com.yourcompany.struts.form.BillprocessForm;
/**
* MyEclipse Struts
* Creation date: 08-01-2008
*
* XDoclet definition:
* @struts.action path="/billprocess" name="billprocessForm"
attribute="BillprocessForm" input="/Billprocess.jsp" scope="request"
validate="true"
*/
public class BillprocessAction extends Action {
/*
* Generated Methods
*/
/**
* Method execute
* @param mapping
* @param form
* @param request
* @param response
* @return ActionForward
* @throws SQLException
* @throws ClassNotFoundException
* @throws IOException
* @throws InterruptedException
*/
public ActionForward execute(ActionMapping mapping, ActionForm
form,
HttpServletRequest request, HttpServletResponse
response) throws SQLException, ClassNotFoundException, IOException,
InterruptedException {
BillprocessForm BillprocessForm = (BillprocessForm)
form;// TODO Auto-generated method stub
Vector v=new Vector();
String result="failure";
String status=" ";
String type="";
Process compile;
HttpSession session=request.getSession();
String
accountnumber=(String)session.getAttribute("accountnumber");
String balance=BillprocessForm.getBalance();
String payamount=BillprocessForm.getPayamount();
v.add(payamount);
System.out.println("balance = " +balance+ " payamount
"+ payamount);
String process=(String)session.getAttribute("process");
int fulllength=0;
int sublength=0;
String orignal="";
if(process.equals("normal"))
{
DataBase.database data=new DataBase.database();
if(payamount.contains(";"))
{
fulllength=payamount.length();
sublength=payamount.indexOf(";");
orignal=payamount.substring(sublength,fulllength);
payamount=payamount.substring(0,sublength);
System.out.println(" yndcvcgtcbg "+payamount+ "
jddhdhj " +orignal);
}
double amounthaving=Integer.parseInt(balance);
double pay=Integer.parseInt(payamount);
String amount;
if(amounthaving>=pay)
{
amount=""+(amounthaving-pay)+orignal;
data.setBillupdate(accountnumber, amount);
result=data.getBillupdate();
}
else
{
amount=""+amounthaving;
result="failure";
}
}
else if(process.equals("positive"))
{
String file="D:\\WASP\\";
FileReader fr=new
FileReader(file+"Metastringbill.java");
System.out.println("file reader");
BufferedReader br=new BufferedReader(fr);
System.out.println("buffer reader");
String data="";
String s;
while((s=br.readLine())!=null)
{
s=s.replace("money",payamount);
data=data+"\n"+s;
}
System.out.println("classs "+data);
br.close();
FileWriter fw=new
FileWriter(file+"Metastringbill.java");
fw.write(data);
fw.flush();
fw.close();
String JAVA_HOME =
System.getProperty("java.home");
String java_dir =
JAVA_HOME.substring(0,JAVA_HOME.lastIndexOf(File.separator));
String compileCommand =
java_dir+File.separator+"bin"+File.separator+"javac.exe ";
String path="-d "+" "+file;
String fullpath=file+"Metastringbill.java";
System.out.println(compileCommand +"
"+path+"\\"+" "+fullpath);
compile =
Runtime.getRuntime().exec(compileCommand +" "+path+"\\"+" "+fullpath);
System.out.println("comple class created");
Thread.sleep(5000);
WASP.PositiveTaint positive=new
WASP.PositiveTaint();
positive.classcodebill();
positive.changeclass("samplebill.txt","Metastringbill");
request.setAttribute("typeofinje",type);
if(positive.result.equals("notinjected"))
{
double amounthaving=Integer.parseInt(balance);
double
pay=Integer.parseInt(payamount);
String amount="";
{
amount=""+(amounthaving-pay);
DataBase.database data1=new
DataBase.database();
System.out.println("22222222222222222222");
data1.setBillupdate(accountnumber, amount);
result=data1.getBillupdate();
System.out.println("result in fi loop "
+result);
}
else if(amounthaving<pay)
{
result="failure";
}
}
else if(positive.result.equals("injected"))
{
result="failure";
}
}
else if(process.equals("character"))
{
WASP.CharacterLevel character=new
WASP.CharacterLevel();
System.out.println("if blockkkk");
character.calculate(v);
status=character.injection;
System.out.println("result value if" +status);
type=character.typeofinjection;
// session.setAttribute("typeofinje", type);
request.setAttribute("typeofinje", type);
if(status.equals("sucess"))
{
double
amounthaving=Integer.parseInt(balance);
double
pay=Integer.parseInt(payamount);
String amount="";
{
amount=""+(amounthaving-pay);
DataBase.database data=new
DataBase.database();
System.out.println("22222222222222222222");
data.setBillupdate(accountnumber, amount);
result=data.getBillupdate();
System.out.println("result in fi loop "
+result);
}
else if(amounthaving<pay)
{
result="failure";
}
System.out.println("result befor to
redirect " +result);
}
}
else if(process.equals("syntax"))
{
DataBase.databasesyntax datasyntax=new
DataBase.databasesyntax();
datasyntax.setBillprocess(payamount,"creditcard");
String givequery= datasyntax.getBillprocess();
System.out.println("ssssasfhfsfhssfd " +givequery);
WASP.SyntaxAware syntax=new WASP.SyntaxAware();
syntax.function(givequery,"update");
syntax.setBillprocess();
String tablename=syntax.getTablename();
String amount=syntax.getAmount();
int flength=amount.length();
int hlength=amount.indexOf("=");
amount=amount.substring(hlength+1, flength);
System.out.println("tablenemehfhyu nbfjg
"+tablename+ amount);
double amounthaving=Double.parseDouble(balance);
double pamount=Double.parseDouble(amount);
if(amounthaving>=pamount)
{
System.out.println(amounthaving);
pamount=amounthaving-pamount;
System.out.println(pamount);
String runquery="update "+tablename+" set
amount='"+pamount+"' where accountnumber='"+accountnumber+"'";
System.out.println("njfhfhsdhdfnhsdfhj "
+runquery);
datasyntax.setRunquery(runquery);
result=datasyntax.getRunquery();
}
else if(amounthaving<pamount)
{
result="failure";
}
return mapping.findForward(result);
}
}
New Registration.jsp
<html>
<head>
<title>Free Template from Interspire.com</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords" content="Keywords here">
<meta name="description" content="Description here">
<meta name="Author" content="Joseph De Araujo">
<meta name="Publisher" content="Interspire.com">
<meta name="robots" content="index, follow"> 
<meta name="revisit-after" content="30 days">
<meta name="distribution" content="global">
<meta name="rating" content="general">
<meta name="Content-Language" CONTENT="english">
<link href="style.css" rel="stylesheet" type="text/css">

</head>
<body style="margin:0;">
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td height="73" background="images/topbg.gif"><table width=100% border=0 align="center"
cellpadding=0 cellspacing=0>
<tr>
<td width="12"> <img src="images/topleft.gif" width=12 height=73></td>
<td width="166"> </td>
<td colspan=2 align="right" valign="bottom"> </td>
<td width="14"> <img src="images/topright.gif" width=14 height=73></td>
</tr>
</table></td>
</tr>
<tr>
<td height="36" background="images/subnavbg.gif"><table width=100% border=0 align="center"
cellpadding=0 cellspacing=0>
<tr>
<td width="12"> <img src="images/subnavleft.gif" width=12 height=36></td>
<td width="14"><img src="images/subnavright.gif" width=14 height=36></td>
</tr>
</table></td>
</tr>
<tr>
<td valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="178" valign="top"><table border=0 align="center" cellpadding=0 cellspacing=0>
<tr>
<td background="images/navbg.gif"><table width="100%" border="0" cellspacing="0"
cellpadding="0">
<tr>
<td height="25" class="menuLink" style="padding:0 10 0 23;"
onMouseOver="this.className='navbar'" onMouseOut="this.className='menuLink'"><p>
<a href="AdminLogin.jsp">Admin</a></p> </td>
</tr>
<tr>
<td><img src="images/navspacer.gif" width="178" height="1"></td>
</tr>
<tr>
onMouseOver="this.className='navbar'" onMouseOut="this.className='menuLink'">
<a href="UserLogin.jsp"> Customer</a></td>
</tr>
<tr>
</tr>
<tr>
onMouseOver="this.className='navbar'" onMouseOut="this.className='menuLink'"> <a
href="Creditcard.jsp">Credit
Card</a></td>
</tr>
<tr>
</tr>
<tr>
href="Loan.jsp">Loan</a></td>
</tr>
<tr>
</tr>
<tr>
href="index.jsp">About
Us</a></td>
</tr>
<tr>
</tr>
<tr>
<td height="25" class="menuLink" style="padding:0 10 0 23;"> </td>
</tr>
</table></td>
</tr>
<tr>
<td height="25" background="images/hdrbg.gif" class="sidenewshdr" style="padding:0 10 0 23;
"> </td>
</tr>
<tr>
<td height="25">
<table width="178" border="0" cellspacing="0" cellpadding="0">
<tr>
<td valign="top" width="12"><img src="images/sidebg2.gif" width="12" height="146"></td>
<td style="background-image:url('images/sidebg1.gif'); background-repeat:repeat-x; padding:10"
width="146">
<br>
</td>
</tr>
</table> </td>
</tr>
</table></td>
<td valign="top" style="padding:15px 25px 15px 25px; ">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>NewRegistration</title>
<script language="javascript">
function validate()
{
var name=document.Newregister.name.value;
var dob=document.Newregister.dob.value;
var age=document.Newregister.age.value;
var addres=document.Newregister.address.value;
var occ=document.Newregister.occupation.value;
var acc=document.Newregister.acctype.value;
var con=document.Newregister.contact.value;
var accnum=document.Newregister.accnumber.value;
var amount=document.Newregister.amount.value;
var pass=document.Newregister.password.value;
var cpass=document.Newregister.cpassword.value;
if(name==""||name==null)
{
alert("Enter the NAME....");
document.Newregister.name.focus();
return false;
}
if(dob.length<1)
{
alert("Enter the dob....");
document.Newregister.dob.focus();
return false;
}
if(age.length<1)
{
alert("Enter the age....");
document.Newregister.age.focus();
return false;
}
if(address.length<1)
{
alert("Enter the address....");
document.Newregister.address.focus();
return false;
}
if(occ.length<1)
{
alert("Enter the occupation....");
document.Newregister.occ.focus();
return false;
}
if(acc.length<1)
{
alert("Enter the Account type....");
document.Newregister.acc.focus();
return false;
}
if(con.length<1)
{
alert("Enter the contactnumber....");
document.Newregister.con.focus();
return false;
}
if(accnum.length<1)
{
alert("Enter the accountnumber....");
document.Newregister.accnum.focus();
return false;
}
if(amount.length<1)
{
alert("Enter the amount....");
document.Newregister.amount.focus();
return false;
}
if(pass.length<1)
{
alert("Enter the password....");
document.Newregister.pass.focus();
return false;
}
if(cpass.length<1)
{
alert("Enter the conformpassword....");
document.Newregister.cpass.focus();
return false;
}
return true;
</script>
</head>
<body>
<% if(request.getParameter("error")!=null)
{
out.println(request.getParameter("error"));
}
%>
<form method="POST" action="NewRegistration.do" name="Newregister">
<p> </p>
New Customer</strong></p>
<table border="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111"
width="65%" id="AutoNumber1">
<tr>
<td width="50%" bordercolor="#FFFF00">
NAME</td>
<td width="50%"><input type="text" name="name" size="20"></td>
</tr>
<tr>
<td width="50%">       DATA OF
BIRTHDAY</td>
<td width="50%"><input type="text" name="dob" size="20"></td>
</tr>
<tr>
<td width="50%">         AGE</td>
<td width="50%"><input type="text" name="age" size="20"></td>
</tr>
<tr>
<td width="50%">        GENDER</td>
<td width="50%"><input type="radio" value="male" name="gender">MALE
<input type="radio" name="gender" value="female">FEMALE</td>
</tr>
<tr>
<td width="50%">         ADDRESS</td>
<td width="50%"><textarea rows="2" name="address" cols="20"></textarea></td>
</tr>
<tr>
<td width="50%">         OCCUPATION</td>
<td width="50%"><input type="text" name="occupation" size="20"></td>
</tr>
<tr>
<td width="50%">         ACCOUNT TYPE</td>
<td width="50%"><input type="radio" name="acctype" value="current">current
<input type="radio" name="acctype" value="saving">saving</td>
</tr>
<tr>
<td width="50%">         CONTACT
NUMBER</td>
<td width="50%"><input type="text" name="contact" size="20"></td>
</tr>
<tr>
</td>
<td width="50%"> </td>
</tr>
</table>
<p>         <strong> Account
Details </strong>    </p>
<table border="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111"
width="64%" id="AutoNumber2" bordercolorlight="#000000">
<tr>
<td width="50%">         Account
number</td>
<td width="50%"><input type="text" name="accnumber" size="20"></td>
</tr>
<tr>
<td width="50%">         Amount</td>
<td width="50%"><input type="text" name="amount" size="20"></td>
</tr>
<tr>
<td width="50%">         password</td>
<td width="50%"><input type="password" name="password" size="20"></td>
</tr>
<tr>
<td width="50%">         conform
password</td>
<td width="50%"><input type="password" name="cpassword" size="20"></td>
</tr>
</table>
<p> </p>
<p>             &nbsp
;
<input type="submit" value="Submit" name="Submit" onclick="return validate(this);">
<input type="reset" value="Reset" name="Reset"></p>
</form>
</body>
</html>

</td>
<td width="206" valign="top"><p> </p>

<p> </p>
<p><img src="images/mainpic1.jpg" width=145 height=90></p>
<p><img src="images/mainpic2.jpg" width="145" height="90"></p> </td>
</tr>
</table></td>
</tr>
<tr>
<td height="19" align="right" background="images/subbasebg.gif"> </td>
</tr>
<tr>
<td height="38" align="center" background="images/basebg.gif">© Copyright 2003-2004

YourCompany. All Rights Reserved. <a href="http://www.interspire.com/templates"
class="searchlink">Website Template by Interspire</a></td>
</tr>
</table>
</body>
</html>
/*
* Generated by MyEclipse Struts
* Template path: templates/java/JavaClass.vtl
*/
package com.yourcompany.struts.action;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.FileWriter;
NewRegistrationAction.java
import java.io.IOException;
import java.sql.SQLException;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
import com.yourcompany.struts.form.NewRegistrationForm;
/**
* MyEclipse Struts
* Creation date: 07-28-2008
*
* XDoclet definition:
* @struts.action path="/NewRegistration" name="newRegistrationForm"
attribute="NewRegistrationForm" input="/NewRegistration.jsp" scope="request" validate="true"
*/
public class NewRegistrationAction extends Action {
/*
* Generated Methods
*/
/**
* Method execute
* @param mapping
* @param form
* @param request
* @param response
* @return ActionForward
* @throws SQLException
* @throws ClassNotFoundException
* @throws IOException
* @throws InterruptedException
*/
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) throws
SQLException, ClassNotFoundException, IOException, InterruptedException {
NewRegistrationForm NewRegistrationForm = (NewRegistrationForm) form;// TODO

Auto-generated method stub
String name=NewRegistrationForm.getName().trim();
String dob=NewRegistrationForm.getDob().trim();
String age=NewRegistrationForm.getAge().trim();
String gender=NewRegistrationForm.getGender().trim();
String address=NewRegistrationForm.getAddress().trim();
String occupation=NewRegistrationForm.getOccupation().trim();
String acctype=NewRegistrationForm.getAcctype().trim();
String contactnumber=NewRegistrationForm.getContact().trim();
String accnumber=NewRegistrationForm.getAccnumber().trim();
String amount=NewRegistrationForm.getAmount().trim();
String password=NewRegistrationForm.getPassword().trim();
String cpassword=NewRegistrationForm.getCpassword().trim();
String status="failure";
String result="";
Process compile;
Vector vector=new Vector();
vector.add(name);
vector.add(dob);
vector.add(age);
vector.add(gender);
vector.add(address);
vector.add(occupation);
vector.add(acctype);
vector.add(contactnumber);
vector.add(accnumber);
vector.add(amount);
vector.add(password);
vector.add(cpassword);
System.out.println("values in vector " +vector);
HttpSession session=request.getSession();
String process=(String)session.getAttribute("process");
System.out.println("session value " +process);
DataBase.database data=new DataBase.database();
if(process.equals("normal"))
{
data.setTableName("customerdetails");
data.setInsert(vector);
result=data.getInsert();
System.out.println(result);
}
else if(process.equals("positive"))
{
String file="D:\\WASP\\";
FileReader fr=new FileReader(file+"Metastringreg.java");

System.out.println("file reader");
BufferedReader br=new BufferedReader(fr);
System.out.println("buffer reader");
String datas="";
String s="";
while((s=br.readLine())!=null)
{
s=s.replace("user",name);
s=s.replace("birth", dob);
s=s.replace("old", age);
s=s.replace("sex",gender );
s=s.replace("place", address);
s=s.replace("work",occupation);
s=s.replace("type", acctype);
s=s.replace("phone",contactnumber);
s=s.replace("111",accnumber);
s=s.replace("000", amount);
s=s.replace("333",password);
s=s.replace("444",cpassword);
datas=datas+"\n"+s;
}
System.out.println(datas);
br.close();
FileWriter fw=new FileWriter(file+"Metastringreg.java");
fw.write(datas);
fw.flush();
fw.close();
String JAVA_HOME = System.getProperty("java.home");
String java_dir =
JAVA_HOME.substring(0,JAVA_HOME.lastIndexOf(File.separator));
String compileCommand = java_dir+File.separator+"bin"+File.separator+"javac.exe ";
String path="-d "+" "+file;
String fullpath=file+"Metastringreg.java";
System.out.println(compileCommand +" "+path+"\\"+" "+fullpath);
compile = Runtime.getRuntime().exec(compileCommand +" "+path+"\\"+" "+fullpath);

System.out.println("comple class created");
Thread.sleep(3000);
WASP.PositiveTaint positive=new WASP.PositiveTaint();
positive.Regcheck();
positive.changeclass("samplreg.txt","Metastringreg");
if(positive.result.equals("notinjected"))
{
}
else if(positive.result.equals("injected"))
{
result="failure";
}
}
else if(process.equals("character"))
{
WASP.CharacterLevel character=new WASP.CharacterLevel();
character.calculate(vector);
status=character.injection;
System.out.println("status in newregistartion action " +status);
if(status.equals("sucess"))
{
}
else
{
result="failure";
System.out.println("else in new registeraction " + data.getInsert());
}
}
else if(process.equals("syntax"))
{
DataBase.databasesyntax datasyntax=new DataBase.databasesyntax();

datasyntax.setInsertdetails(name, dob, age, gender, address, occupation, acctype,
contactnumber, accnumber, amount, password, cpassword,"customerdetails");
String givequery=datasyntax.getInsertdetails();
System.out.println(givequery);
WASP.SyntaxAware syntax=new WASP.SyntaxAware();
syntax.function(givequery,"insert");
syntax.setInsertdetails();
name=syntax.getName();
dob=syntax.getDob();
age=syntax.getAge();
gender=syntax.getGender();
address=syntax.getAddress();
occupation=syntax.getOccupation();
acctype=syntax.getAcctype();
contactnumber=syntax.getContact();
amount=syntax.getAmount();
accnumber=syntax.getAccountnumber();
password=syntax.getPassword();
cpassword=syntax.getCpassword();
String tablename=syntax.getTablename();
String runquery="insert into "+tablename+"
values('"+name+"','"+dob+"','"+age+"','"+gender+"','"+address+"','"+occupation+"','"+acctype+"','"+contact
number+"','"+amount+"','"+accnumber+"','"+password+"','"+cpassword+"')";
System.out.println("qyerttgggdgdgdg " +runquery);
datasyntax.setRunquery(runquery);
result=datasyntax.getRunquery();
return mapping.findForward(result);
}
}
Reference
1. S.W. Boyd and A.D. Keromytis, “SQLrand: Preventing SQL Injection Attacks,” Proc. Second Int’l Conf.
Applied Cryptography and Network Security, pp. 292-302, June 2004.
2. G.T. Buehrer, B.W. Weide, and P.A.G. Sivilotti, “Using Parse Tree Validation to Prevent SQL Injection
Attacks,” Proc. Fifth Int’l
Workshop Software Eng. and Middleware, pp. 106-113, Sept. 2005
3. J. Clause, W. Li, and A. Orso, “Dytan: A Generic Dynamic Taint Analysis Framework,” Proc. Int’l
Symp. Software Testing and Analysis, pp. 196-206, July 2007.
4. W.R. Cook and S. Rai, “Safe Query Objects: Statically Typed Objects as Remotely Executable Queries,”
Proc. 27th Int’l Conf.
Software Eng., pp. 97-106, May 2005.
5. “Top Ten Most Critical Web Application Vulnerabilities,” OWASP Foundation,

http://www.owasp.org/documentation/
topten.html, 2005.

Full Doc1

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Full Doc1

Diunggah oleh

Hak Cipta:

Format Tersedia

Combinatorial Approach for Preventing SQL

What Can Java Technology Do?

How Will Java Technology Change My Life?

• Get started quickly: Although the Java programming language is a

Java Server™ Pages

2. A request comes through a servlet.

How to Choose Between Access Models

Using XML with JSP:

Features in JSP 1.0

New JavaBeans Features

Databases and the Web

The Servlet Life Cycle

Use Servlets instead of CGI Scripts!

Processor : Any Processor above 500 MHz.

Operating System : Windows Family.

sno Field name Type size

sno Field name Type size

sno Field name Type size

Invalid Account number

No injection View The Details

Web Application SQL-injection Preventer(WASP)

public String getTableName() {

values=values + "'" + v.get(i)+ "',";

public void setUpdate(String password,String cpassword,String

public String getBillupdate() {

public void setBillupdate(String accountnumber,String amount)

System.out.println("executed sucessfully the billupdate");

public String getModify() {

public void setModify(Vector v) throws SQLException {

public String getAmountcredit() {

public void setAmountcredit(String accountnumber,String

public String getTarninsert() {

public void setTarninsert(String tarninsert) throws SQLException {

public String getCustomertarns() {

public void setCustomertarns(String customertarns) {

public String getNewReg() {

public void setNewReg(Vector v,String acc) throws SQLException {

rs=st.executeQuery("select * from customerdetails where

values=values + "'" + v.get(i)+ "',";

<link href="style.css" rel="stylesheet" type="text/css">

<td width="206" valign="top"><p>&nbsp;</p>

<td height="38" align="center" background="images/basebg.gif">&copy; Copyright 2003-2004

NewRegistrationForm NewRegistrationForm = (NewRegistrationForm) form;// TODO

FileReader fr=new FileReader(file+"Metastringreg.java");

compile = Runtime.getRuntime().exec(compileCommand +" "+path+"\\"+" "+fullpath);

DataBase.databasesyntax datasyntax=new DataBase.databasesyntax();

5. “Top Ten Most Critical Web Application Vulnerabilities,” OWASP Foundation,

Anda mungkin juga menyukai

<td width="206" valign="top"><p> </p>

<td height="38" align="center" background="images/basebg.gif">© Copyright 2003-2004