> -----Original Message----- > From: Woodchuck [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 25, 2004 9:44 AM > To: struts > Subject: best practice for handling single/double quotes, html > characters, sql injection/poisoning > > > hihi, > > does struts or jstl have a good way to handle data coming > back from the > database that contains things like: > - ' (single quote) > - " (double quote) > - <,> (html characters)
No > > and also to prevent agains sql injection/poisoning attacks? > > can someone shed light on best practice suggestions? My anti-injection techniques consist of: 1) Use prepared statements whenever possible. It will handle most of your concerns automagically. 2) If you're really paranoid, use a filter to go through all parameters on the way in looking for select.*from.*[(table1)(table2)], insert.*[(table1)(table2)] and other SQL syntax as well. [1] 3) HTML, you'r looking for cross site scripting stuff, which, iirc is covered with \<a.*href= and \<img in fields where you know you don't want to allow any html.[1] Then the filter flags to email any generic (ie select.*from) for human eyeballs, and rejects on sql pattern that also includes table names. Does the same for html, although I do more flagging then rejecting. Looking for quotes and the like is fine, but there are so many exceptions that it's easier to use jakarta-oro or jakarta-regex to look for the things that are really a problem, and act on those. [1]Don't trust my regexes I'm doing this off the top of my head. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
