For embedded quotes, use JDBC prepared statements ... they take care of any escaping that is necessary for you.
For embedded HTML, use Struts tags like <bean:write> to render the dynamic output to your page -- unless you tell them not to (filter="false"), any sensitive characters in HTML will be automatically escaped. In JSTL, the <c:out> tag does the same thing unless you turn it off (escapeXML="false"). And in JSF (<h:outputText> filters unless you turn it off with escape="false"). Craig On Wed, 25 Aug 2004 09:43:34 -0700 (PDT), Woodchuck <[EMAIL PROTECTED]> wrote: > hihi, > > does struts or jstl have a good way to handle data coming back from the > database that contains things like: > - ' (single quote) > - " (double quote) > - <,> (html characters) > > and also to prevent agains sql injection/poisoning attacks? > > can someone shed light on best practice suggestions? > > please, and thanks in advance! > woodchuck > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - 50x more storage than other providers! > http://promotions.yahoo.com/new_mail > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]