Lib To Protect Sql/javascript Injection For Java/jsp
Solution 1:
Apache Commons lang StringEscapeUtils will get you some of the way. It escapes, doesnt strip.
http://commons.apache.org/lang/api/org/apache/commons/lang/StringEscapeUtils.html
Edit: Escaping can save you from injection attacks because it makes sure that the data the user has entered is not executed as code, but always presented as data to the user.
Solution 2:
You need to rely on the your database api's mechanism for using parameterized queries. If you're first building an sql string dynamically and then want to sanitize the completed query string, you're doing it wrong. That's just asking for trouble.
Edit: after re-reading your question, it seems I mis-understood what you were asking. I stand by my initial comments as accurate for the sql injection part of your question. For that, you definitely want real query parameters.
As for filtering out javascript, I don't think there's a real standard way to do it yet. I know Jeff posted the code they use here at SO, but I don't have the link handy. If I can find it I'll post it.
Solution 3:
Take a look at AntiSamy on OWASP. I think this might be what you are looking for. I do not currently work in Java so I cannot tell you about how it performs.
Solution 4:
The what you're saying is that for every possible entry being added to the string I have to remove first the "malicious" data. Yeah it makes sense as I wouldn't be able to tell which was added as an input and what would be part of the query itself.
Ok ty i guess i need to restart changing some code :) still the question for the api still stands :)
Solution 5:
The c:out tag by default escapes XML. This can be handy for storing user input, as the bound value will still be the user's input but the source generated by the browser will use escaped entries.
Post a Comment for "Lib To Protect Sql/javascript Injection For Java/jsp"