hi Craig!!
yup, i am using prepared statements and it safely handles the
single/double quotes beautifully.
i guess i still have to filter out sql constructs/keywords/statements
myself before passing the data to my prepared statement objects.
do you mean that instead of doing this:
<html:text name="myObj" property="myField"/>
i do this instead?:
<input type="text" value='<bean:write name="myObj" property="myField"
filter="true">'>
or
<input type="text" value='<c:out value="${myObj.myField}"
escapeXML="true"/>'>
woodchuck
--- Craig McClanahan <[EMAIL PROTECTED]> wrote:
> For embedded quotes, use JDBC prepared statements ... they take care
> of any escaping that is necessary for you.
>
> For embedded HTML, use Struts tags like <bean:write> to render the
> dynamic output to your page -- unless you tell them not to
> (filter="false"), any sensitive characters in HTML will be
> automatically escaped. In JSTL, the <c:out> tag does the same thing
> unless you turn it off (escapeXML="false"). And in JSF
> (<h:outputText> filters unless you turn it off with escape="false").
>
> Craig
>
>
> On Wed, 25 Aug 2004 09:43:34 -0700 (PDT), Woodchuck
> <[EMAIL PROTECTED]> wrote:
> > hihi,
> >
> > does struts or jstl have a good way to handle data coming back from
> the
> > database that contains things like:
> > - ' (single quote)
> > - " (double quote)
> > - <,> (html characters)
> >
> > and also to prevent agains sql injection/poisoning attacks?
> >
> > can someone shed light on best practice suggestions?
> >
> > please, and thanks in advance!
> > woodchuck
> >
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
