Do not use UI validation to defend against SQL Injection Attacks. That's the job of JDBC Prepared Statements.
Paul On Tue, Mar 26, 2013 at 5:15 PM, J.V. <jvsr...@gmail.com> wrote: > I have to add checking each and every form field in my application for sql > injection attacks (I need a method that will return a boolean false if any > character that is typically used in sql injection is found). > > Each of my form classes has a validator() method. I was thinking of > creating my own abstract form class > > public abstract MyBaseForm() extends DynaValidatorForm { > > public boolean validateSQL(String[] fields) { > // do checks here and return true or false > } > } > > ---- > and then modify all my form classes to extend MyBaseForm (which extends > DynaValidatorForm() and in each of my existing Form classes call > validateSQL() as the first call of each now existing validator() method. > > This will be a lot of work because there are over 100 forms and 500+ > fields, is there an easier way? I thought that using the Apache commons > validator plugin would be best but was told that the validator() method in > each form class is preferred, but it is turning out to be more work than > expected. > > Any/all other options would be helpful. > > thanks > > > J.V. > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > user-unsubscribe@struts.**apache.org<user-unsubscr...@struts.apache.org> > For additional commands, e-mail: user-h...@struts.apache.org > >