commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Serge Knystautas <ser...@lokitech.com>
Subject Re: Checking if a String is both HTML and SQL safe
Date Fri, 22 Aug 2003 13:31:14 GMT
Marcelo Bello wrote:
> I am developing a web application that MUST be safe.
> 
> I am searching for a Java lib that can check a string to be both:
> 
> - HTML safe (replacing '<' with '&gt' etc... );
> - SQL safe;
> 
> SQL safeness is critical, because string typed by the user will be used to
> generate a SQL statement. I can't allow users to input a "malicious"
> string that would end up allowing them to execute arbitrary SQL
> statements.

Can you expand on SQL safe?  Normally in Java you would use 
PreparedStatements and have the user data set as parameters, so a user 
doesn't actually write the SQL themselves.  But if you are letting 
someone write the SQL themselves, then what "safe" do you mean?  select 
only these tables?  select and update?  select update delete but not 
bulk delete?  insert?

-- 
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com


Mime
View raw message