hi Craig!!
yup, i am using prepared statements and it safely handles the
single/double quotes beautifully.
i guess i still have to filter out sql constructs/keywords/statements
myself before passing the data to my prepared statement objects.
do you mean that instead of doing this:
i do this i
For embedded quotes, use JDBC prepared statements ... they take care
of any escaping that is necessary for you.
For embedded HTML, use Struts tags like to render the
dynamic output to your page -- unless you tell them not to
(filter="false"), any sensitive characters in HTML will be
automatically
--- Jim Barrows <[EMAIL PROTECTED]> wrote:
>
>
> > -Original Message-
> > From: Woodchuck [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 25, 2004 9:44 AM
> > To: struts
> > Subject: best practice for handling single/double quotes, html
> > characters, sql injection/poisoning
> >
> -Original Message-
> From: Woodchuck [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 25, 2004 9:44 AM
> To: struts
> Subject: best practice for handling single/double quotes, html
> characters, sql injection/poisoning
>
>
> hihi,
>
> does struts or jstl have a good way to handle
4 matches
Mail list logo