No matter where this is done, the basic problem is we have single quotes, double quotes, ampersands, semicolons, and parenthesis in our data.
After Googleing on this topic for an hour or so I do not see an elegant solution, other than possibly filtering on SQL key words (DROP, ALTER, etc.). Has anyone created an elegant solution for this problem within the Struts framework? Mike --- On Thu, 11/15/07, Dave Newton <[EMAIL PROTECTED]> wrote: > From: Dave Newton <[EMAIL PROTECTED]> > Subject: Re: Struts Validator to Prevent SQL Injection Attacks > To: "Struts Users Mailing List" <user@struts.apache.org>, [EMAIL PROTECTED] > Date: Thursday, November 15, 2007, 9:56 AM > --- Mike Duffy <[EMAIL PROTECTED]> wrote: > > Does anyone have a great solution for a validator > > that will prevent users from entering malicious SQL > > into form entry text fields? > > I'm not sure that belongs in a validator; unless you > never need to allow the use of a single quote. It is, > hoever unlikely, conceivable that Little Bobby > Tables[1] actually exists in the real world. > > Personally I'd put escaping either in a separate > interceptor or on the business logic/pre-business > logic data scrubbing side of things. > > d. > > [1] http://xkcd.com/327/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] ____________________________________________________________________________________ Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
