Just "a pointer" to the following >Any pointers? >How do you filter your sql sensitive characters? If you use java.sql.PreparedStatement you should not require any manual characters filtering or escaping.
My two cents, Patrick Quoting Mike Whittaker <[EMAIL PROTECTED]>: > > Okay, no one seems to have any suggestions so having thought about this for > about a week now here is what I propose to do. > > I'm just trying to implement very simple forms the struts way, > prepopulation > & validation are not major concerns at the moment but I'd like to keep the > option open. > My main requirement is to retain global filtering of all request > parameters, > for instance to keep a database secure by escaping sensitive sql > characters. > > My other requirement is small url's with tiny parameter names. > > 1/ Use DynaActionForms to define these tiny parameter names. > 2/ The DynaActionForms will be a DAF subclass, which will implement an > interface that specifies at least the set & get methods. > 3/ Either the attributes of this DAF can be altered (eg filtering > characters) with the aid of BeanUtils or a duplicate can be made to which > this is done. > 4/ Objects of type ThisInterface, can then be shipped to the Buisness layer > struts being transparent. > 5/ The business layer can utilise a meaningful Constants interface that > makes the tiny parameter names more meaningful. > > Does this sound okay? > > This was my other post on the same subject that has been lost in the > postings barrage! > > >Say for instance you want to filter for all the ' " \ characters in > request > >parameters > >either removing them, or escaping them. > > > >Either way if you do it before the action form gets them, then on > >prepopulation of form fields the user will see these alterations (not > >desirable). > >If you do it after you decide the form won't be returned then: > > > >a) It becomes difficult because you have just form bean method calls to > get > >the parameters something like filter(getMyString()) becomes a pain and > open > >to missing out the filtering with potentially disastorous consequences! > > > >b) If you decided to somehow globally alter a session scoped form > >then again > >you have prepopulation alterations. > > > >I have seen that RequestProcessor may offer hope, I'd like to know > >the order > >that these RP methods are called. > > > >I realise that I could use BeanUtils and make a DynaBean copy of a form > >bean, filtering the parameters during the copy. Just seems overkill, and > >yet another object in the request. > > > >Any pointers? > >How do you filter your sql sensitive characters? > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Portable: +41 (0)76 446 97 12 Fixe: +41 (0)32 71 007 74 Web: http://www.extentis.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
