Tuesday, September 6, 2011

JSF code snippet: integrating JSF pages into a plain old JSP

A simple way to include a JSF page into a bigger JSP (sure there's other ways, but this one is easy):
the JSF page must be a subview:

<%@ taglib uri="http://java.sun.com/jsf/html" prefix="h"%>
<%@ taglib uri="http://java.sun.com/jsf/core" prefix="f"%>
<f:subview id="myJSFSubview">

The tricky part is how to include it in the JSP, in a way that is independent of the main JSP. But you just need to include like this:

<% pageContext.include("myJSFpage.jsf"); %> 


Ujjwal Soni

Simple Java tricks to protect your web application against SQL injection

Your application is vulnerable to SQL Injection when you send unfiltered strings to the database. Most modern ORM frameworks should take care of it (but don't take my word!... go ahead and check how secure your framework is).
Sometimes, you have to work with plain JDBC (or ODBC). Here is a couple of tricks that help:

1. First and foremost, avoid concatenating strings for SQL queries. Use prepared statements unless is not possible (i.e. cases when you have undefined number of parameters)
2. Leverage the language type system: If you're passing a number, use Integer instead of String... any invalid character will fail the conversion and will not reach the DB.
3. If there's no option but concatenate strings, make sure the database comment quotes are escaped (for example, in DB2 you have to replace the single quote character with 2 single quote characters: instead of "SELECT * FROM users WHERE name='"+param+"'" use "SELECT * FROM users WHERE name='"+param.replaceAll("'","''")+"'"

For something a little more advanced, you can wrap the strings in some kind of "EscapedString" class, and use that class in the signature of the DAOs (related to 2. )

Note: by no means this is a comprehensive list. Application security is very hard, check your database documentation...


Ujjwal Soni

How to Protect Against MySQL Injection on User Login Form

The below mysql database query is to to protect your database against MySQL injection through user login forms. This preventive action make spammers stay away from running the database query on your database with out your knowledge

Query to Protect Against MySQL Injection via Login Form

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password); 


Ujjwal Soni

-- In Dreams And In Love There Are No Impossibilities --

Monday, September 5, 2011

What will happen to Java, in Oracle's hands ?

I was asked by my friend few days back that "What will happen to Java, in Oracle's hands ?"

My answer was.. INSERT INTO "Oracle" SELECT * FROM "Sun"

'...Open source will continue at Oracle - along with Java. It could even profit. Just don't expect it to help anybody else.'

It will help. Oracle has more money than SUN.

I don't think it will become more proprietary. IBM, Redhat, Apache etc. will not allow that.

Java is OK. JVM is not OK. But at least we have CacaoVM and some opensource implementations, once Oracle will bastardize it. On the other hand, I don't think they want to screw it up on a main trunk. They did this to RedHat clone, called Oracle Linux, that is completely rubbish distribution. I would more worry about OpenSolaris — there might be started some unpleasant "fun" from Oracle... :-(

Java became popular because of open policies of Sun. Any attempt to commercialize or make Java more proprietary will turn out to be a bad move for technology.

I think Oracle will try to make more money from Java licenses and try to control Java and use it for competitive advantage, which will make other Java vendors insecure and will eventually move away from Java. In a free market Oracle is free to do this, but it will not be good for the technology.

Use it if you like it, don't try to own it

I just hope there won't appear String2 that is null and an empty string at the same time, as they did to VARCHAR... :-)


Ujjwal Soni

-- In Dreams And In Love There Are No Impossibilities --

Top "MUST HAVE" habits of a great software developer to ensure creating a world class quality coding product

Below are some of top "MUST HAVE" habits of a great software developer to ensure creating a world class quality coding product ::

1) Self discipline. So much bad code is due to laziness by developers who don't do what they know should be done.

2) Assume the code written doesn't work unless it is proven to work.
Don't assume that things will never fail. In other words, assume things will fail and provide for clean handling of it. Error messages reporting errors are required. Crash on error is unacceptable.

3) Hangs are unacceptable. All code should be bounded in time and an error must be reported if it runs over.
Do your own testing. It doesn't matter if you have a separate test group. Do your own testing anyway.

4) Never assume that a user will never do something with the code. Assume that a user will do anything and everything possible. Provide clean handling and error messages for everything not allowed.

5) The developer should insure that the code compiles with zero warning messages.
Always use a source code repository, even in a “team” of one person. The repository should be backed-up properly.

6) Never check-in code to a main repository that doesn't compile cleanly. Check-in to a branch repository for checkpointing or backups is ok.

7) Teamwork - few things are small enough or require so few skills that one person can do them well.

8) Discipline - do things right *all the time* if you want top quality.
Ability, Experience - one needs to learn on the job; they say you tend to get expert only after 10,000 hours at a skill.

9) Breadth - you need to understand other people's vision not just your own, or what you make will suit you and nobody else.

10) Luck - whether your idea or somebody else's, you need a good idea AND the luck to get it to market at the right time.

11) A good team - what you can't put toward the effort yourself, the rest of the team needs to supply.

12) Knowledge - especially of design patterns (and have to remember that they are giving direction, not the right solution) and frameworks

13) TESTS - they are prooving that the code works. He/she must write tests automatically without thinking: do I have to?

14) Digging in problems - it laverages the knowledge and gives him/her deep understanding of technology

15) Curiosity - to be up to date with other concepts

16) Document everything (tomorrow you do not remember what is in your head today).

17) Pay attention to what your customer - requirements analyst says and work with him/her. Do not assume that you know their needs better. It is their needs. Do not assume that your work is just writting code, it is also discussing your plans and results with your clients.

18) Always plan your next task and sketch a model of what you will build.

19) Always check on the internet for things you need. It is very rare that you were the first to need them. For every hint you get try to give something back to the community. If there is an open source project near your needs use it and expand it. It is better to focus on your new task than reinventing the wheel.

20) Always take some time to check if you need to use a new tool or programming language. A good programmer is not tied to a specific language, however he can be very good or specialized at one or more.

21)Proper error/exception handling... make sure that app should not crash

22)He/She should be 'Continuous Learner' and upgrade their skills in respective domain time to time..

23)Last,but not least, Think 'out of box'. Smart people can easily entertain new ideas, thoughts, and ways of doing things.


Ujjwal Soni

-- In Dreams And In Love There Are No Impossibilities