CHAPTER

9
Application Development

Solutions for the Practice Exercises of Chapter 9

Practice Exercises

9.1 What is the main reason why servlets give better performance than programs
that use the common gateway interface (CGI), even though Java programs gen-
erally run slower than C or C++ programs?
9.2 List some benefits and drawbacks of connectionless protocols over protocols
that maintain connections.
9.3 Consider a carelessly written web application for an online-shopping site, which
stores the price of each item as a hidden form variable in the web page sent to
the customer; when the customer submits the form, the information from the
hidden form variable is used to compute the bill for the customer. What is the
loophole in this scheme? (There was a real instance where the loophole was
exploited by some customers of an online-shopping site before the problem was
detected and fixed.)
9.4 Consider another carelessly written web application which uses a servlet that
checks if there was an active session but does not check if the user is autho-
rized to access that page, instead depending on the fact that a link to the page is
shown only to authorized users. What is the risk with this scheme? (There was
a real instance where applicants to a college admissions site could, after logging
into the web site, exploit this loophole and view information they were not au-
thorized to see; the unauthorized access was, however, detected, and those who
accessed the information were punished by being denied admission.)
9.5 Why is it important to open JDBC connections using the try-with-resources (try
(…){ … } ) syntax?
35
36 Chapter 9 Application Development

9.6 List three ways in which caching can be used to speed up web server perfor-
mance.
9.7 The netstat command (available on Linux and on Windows) shows the active
network connections on a computer. Explain how this command can be used to
find out if a particular web page is not closing connections that it opened, or if
connection pooling is used, not returning connections to the connection pool.
You should account for the fact that with connection pooling, the connection
may not get closed immediately.
9.8 Testing for SQL-injection vulnerability:
a. Suggest an approach for testing an application to find if it is vulnerable to
SQL injection attacks on text input.
b. Can SQL injection occur with forms of HTML input other than text boxes?
If so, how would you test for vulnerability?
9.9 A database relation may have the values of certain attributes encrypted for se-
curity. Why do database systems not support indexing on encrypted attributes?
Using your answer to this question, explain why database systems do not allow
encryption of primary-key attributes.
9.10 Exercise 9.9 addresses the problem of encryption of certain attributes. However,
some database systems support encryption of entire databases. Explain how the
problems raised in Exercise 9.9 are avoided if the entire database is encrypted.
9.11 Suppose someone impersonates a company and gets a certificate from a
certificate-issuing authority. What is the effect on things (such as purchase or-
ders or programs) certified by the impersonated company, and on things certi-
fied by other companies?
9.12 Perhaps the most important data items in any database system are the passwords
that control access to the database. Suggest a scheme for the secure storage
of passwords. Be sure that your scheme allows the system to test passwords
supplied by users who are attempting to log into the system.