Craig, both you and Jim suggested that I make use of prepared statements. I implemented my SQL using strings because it is easier to tweak during the development phase.
Now that the project is in maintenance, moving to prepared statements is a good idea. Probably help a bit in performance as well. As for the XML/SOAP calls, using the serializer to create the character entities would be good. Thanks Wiebe de Jong -----Original Message----- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:50 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote: > I had a similar problem, which I discovered when one of my users tried to > enter a street address containing an apostrophe. Since I use apostrophes to > delineate my text strings in my SQL statements, this caused a database > error. I fixed it by not allowing apostrophes to be entered into any of the > test fields. > I hope you never have a customer named O'Reilly :-). > I admit this is overly restrictive, but I don't know how to get the > apostrophe into my database otherwise. How would you do it Craig? > > For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: String streetAddress = "..."; // String may have "\" and "'" characters in it PreparedStatement stmt = conn.prepareStatement ("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?"); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. (Of course, if you're using a persistence tier abstraction like EJB or JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to worry about any of this -- it all happens automatically for you.) > For XML destined text, I disallow <, >, &, \, and ". For XML, I use one of several strategies depending on the detailed situation: * Recognize that XML allows either " or ' as attribute delimiters, so if a string includes one kind, just use the other. * Write or use an XML serializer that translates "&" to "&" and so on for me. * If the XML I am writing is actually markup on a page, use JSF components ... JSF includes APIs that do all the escaping for you. > > Wiebe de Jong Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
