Dave Newton wrote:
--- Mike Duffy <[EMAIL PROTECTED]> wrote:
Does anyone have a great solution for a validator
that will prevent users from entering malicious SQL
into form entry text fields?
I'm not sure that belongs in a validator; unless you
never need to allow the use of a single quote. It is,
hoever unlikely, conceivable that Little Bobby
Tables[1] actually exists in the real world.
Personally I'd put escaping either in a separate
interceptor or on the business logic/pre-business
logic data scrubbing side of things.
Agreed.
If you're using Hibernate (or even raw JDBC with parameterized
statements), you get scrubbing automagically...
http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc
Note that it *is* possible to go wrong with Hibernate (and even easier
to go wrong with JDBC), so read up on how you can accidentally break
automagic scrubbing support.
Like Dave said, this is probably not something you want to do in an
Interceptor (or even in your Service layer). You almost certainly want
want this in your DAO layer and you probably want to rely on your
underlying DAO tool to "do the right thing".
Just be sure to write unit tests (or in this case, integration tests)
for the DAO methods to test the scrubbing.
If you're using Spring and its DAO support (you are, aren't you? :-)
writing both the DAO (either Hibernate or JDBC) is *really* easy and it
has integration testing support that makes unit-testing the DAO's
*really* awesome.
Did I mention that I like Spring? :-)
- Gary
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
