Do not use UI validation to defend against SQL Injection Attacks. That's
the job of JDBC Prepared Statements.
Paul
On Tue, Mar 26, 2013 at 5:15 PM, J.V. <jvsr...@gmail.com> wrote:
> I have to add checking each and every form field in my application for sql
> injection attacks (I need a method that will return a boolean false if any
> character that is typically used in sql injection is found).
>
> Each of my form classes has a validator() method. I was thinking of
> creating my own abstract form class
>
> public abstract MyBaseForm() extends DynaValidatorForm {
>
> public boolean validateSQL(String[] fields) {
> // do checks here and return true or false
> }
> }
>
> ----
> and then modify all my form classes to extend MyBaseForm (which extends
> DynaValidatorForm() and in each of my existing Form classes call
> validateSQL() as the first call of each now existing validator() method.
>
> This will be a lot of work because there are over 100 forms and 500+
> fields, is there an easier way? I thought that using the Apache commons
> validator plugin would be best but was told that the validator() method in
> each form class is preferred, but it is turning out to be more work than
> expected.
>
> Any/all other options would be helpful.
>
> thanks
>
>
> J.V.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.**apache.org<user-unsubscr...@struts.apache.org>
> For additional commands, e-mail: user-h...@struts.apache.org
>
>
