use hibernate its definitely worth trying. the SQL queries can be parameterised and the parameter names can refer to fields in an object, it handles the escaping of values to be sql safe.
---------------------------------------- > From: gustavo.felisbe...@wit-software.com > To: user@struts.apache.org > Subject: RE: SQL Injection > Date: Thu, 18 Mar 2010 12:34:57 +0000 > > Hello, > As far as I know there is nothing in struts to prevent SQL injection. And > that should be done at the database level, so it is not related to Struts. > > Also there is no simple way of making parameters "sql injection safe". You > can take a look at > http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet They > have some code that will take care of inputs depending on the Database used > (they have "cleaners" for Oracle, Mysql and SQLServer). > > -----Mensagem original----- > De: abhishek jain [mailto:abhishek.netj...@gmail.com] > Enviada: quinta-feira, 18 de Março de 2010 10:31 > Para: Struts Users Mailing List > Assunto: SQL Injection > > Hi, > Do we have any special technique in Struts for preventing sql injection, i > know we can prevent it via parameterized query , but my application design > do not permit so, > So can anyone here help me on this, i need a function whom if i pass a > value, it becomes sql injection safe., > Pl. help > -- > Thanks and kind Regards, > Abhishek jain > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > _________________________________________________________________ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
