Thx Gary. That is good information.
We are actually using JBoss with EJB 3.0, which uses Hibernate under the covers, so I am assuming we are covered. Mike --- On Thu, 11/15/07, Gary Affonso <[EMAIL PROTECTED]> wrote: > From: Gary Affonso <[EMAIL PROTECTED]> > Subject: Re: Struts Validator to Prevent SQL Injection Attacks > To: "Struts Users Mailing List" <user@struts.apache.org> > Cc: [EMAIL PROTECTED] > Date: Thursday, November 15, 2007, 11:13 AM > Dave Newton wrote: > > --- Mike Duffy <[EMAIL PROTECTED]> wrote: > >> Does anyone have a great solution for a validator > >> that will prevent users from entering malicious > SQL > >> into form entry text fields? > > > > I'm not sure that belongs in a validator; unless > you > > never need to allow the use of a single quote. It is, > > hoever unlikely, conceivable that Little Bobby > > Tables[1] actually exists in the real world. > > > > Personally I'd put escaping either in a separate > > interceptor or on the business logic/pre-business > > logic data scrubbing side of things. > > Agreed. > > If you're using Hibernate (or even raw JDBC with > parameterized > statements), you get scrubbing automagically... > > http://forum.hibernate.org/viewtopic.php?t=960817&start=0&postdays=0&postorder=asc > > Note that it *is* possible to go wrong with Hibernate (and > even easier > to go wrong with JDBC), so read up on how you can > accidentally break > automagic scrubbing support. > > Like Dave said, this is probably not something you want to > do in an > Interceptor (or even in your Service layer). You almost > certainly want > want this in your DAO layer and you probably want to rely > on your > underlying DAO tool to "do the right thing". > > Just be sure to write unit tests (or in this case, > integration tests) > for the DAO methods to test the scrubbing. > > If you're using Spring and its DAO support (you are, > aren't you? :-) > writing both the DAO (either Hibernate or JDBC) is *really* > easy and it > has integration testing support that makes unit-testing the > DAO's > *really* awesome. > > Did I mention that I like Spring? :-) > > - Gary > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
