See numbers in attached email below. 1. You know I can't get that enforced in the team.
2. I agree with you on this, and I did mention this in my web page. BUT..... Maybe I have been a "team player" for too long, but I don't see how else, I can take care of human-mistakes during development -- some developer (including me) forgets to validate the input length in the validate() function. I gotta find time to evaluate some of the struts-config tools out there. 3. I shall try the global validation approach, because it appears to make the "hacker-beware/proprietary warning" page response more cleaner. Oh! The discussion thread distracted me, but I also wanted to share self-deprecatory jokes about my SafeValidatorForm. One of the developers marked a field as not nullable (cut-n-paste typo actually) using the SafeValidatorForm API, when it could be sent null (a typical text field). You should have seen the look on the faces of the product development team when the hacker-beware page popped up unexpectedly, and we had to do a whole new build and deploy, in a hurry. Now you know why I am liking the global validation config-file approach. ;-) -----Original Message----- From: Matt Bathje [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 5:22 PM To: Struts Users Mailing List Subject: Re: hacker-proofing Struts-based exposed websites (1) Yes, you would have to do it for every form in the application. .......... (2) Is that better or worse than having to have a form class that extends SafeValidatorForm? I think we know where I stand, but I can see the case for extending ValidatorForm to put the validation there. Still don't see the case for the required/maxlength validators that you add though. (3) I think a global-validation type scheme is kind of a cool idea - if you look into validator and decide you want to extend it to include a global-validation, be sure to contribute back to the commons validator people :) Matt Seetamraju, Uday wrote: > You may have a point there about me needing to take a better look at the current > Validator. > > But, from what you write below, do you want me to do the following for --every-- > form in my application? > Is there a 'global-validation' available in the latest validator? > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -------------------------------------------------------- The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's -------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
