You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "J.V." <jv...@gmail.com> on 2013/03/26 23:15:27 UTC
common validator
I have to add checking each and every form field in my application for
sql injection attacks (I need a method that will return a boolean false
if any character that is typically used in sql injection is found).
Each of my form classes has a validator() method. I was thinking of
creating my own abstract form class
public abstract MyBaseForm() extends DynaValidatorForm {
public boolean validateSQL(String[] fields) {
// do checks here and return true or false
}
}
----
and then modify all my form classes to extend MyBaseForm (which extends
DynaValidatorForm() and in each of my existing Form classes call
validateSQL() as the first call of each now existing validator() method.
This will be a lot of work because there are over 100 forms and 500+
fields, is there an easier way? I thought that using the Apache commons
validator plugin would be best but was told that the validator() method
in each form class is preferred, but it is turning out to be more work
than expected.
Any/all other options would be helpful.
thanks
J.V.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: common validator
Posted by Muralidhar Yaragalla <ja...@gmail.com>.
have u tried "PreparedStatement" and see how it goes with SQL injection.
Long back i have done some work on this. So I dont remember exactly but i
think this can solve.
On Wed, Mar 27, 2013 at 3:45 AM, J.V. <jv...@gmail.com> wrote:
> I have to add checking each and every form field in my application for sql
> injection attacks (I need a method that will return a boolean false if any
> character that is typically used in sql injection is found).
>
> Each of my form classes has a validator() method. I was thinking of
> creating my own abstract form class
>
> public abstract MyBaseForm() extends DynaValidatorForm {
>
> public boolean validateSQL(String[] fields) {
> // do checks here and return true or false
> }
> }
>
> ----
> and then modify all my form classes to extend MyBaseForm (which extends
> DynaValidatorForm() and in each of my existing Form classes call
> validateSQL() as the first call of each now existing validator() method.
>
> This will be a lot of work because there are over 100 forms and 500+
> fields, is there an easier way? I thought that using the Apache commons
> validator plugin would be best but was told that the validator() method in
> each form class is preferred, but it is turning out to be more work than
> expected.
>
> Any/all other options would be helpful.
>
> thanks
>
>
> J.V.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: user-unsubscribe@struts.**apache.org<us...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Thanks And Regards,
*Muralidhar Yaragalla.
*
Re: common validator
Posted by Paul Benedict <pb...@apache.org>.
Do not use UI validation to defend against SQL Injection Attacks. That's
the job of JDBC Prepared Statements.
Paul
On Tue, Mar 26, 2013 at 5:15 PM, J.V. <jv...@gmail.com> wrote:
> I have to add checking each and every form field in my application for sql
> injection attacks (I need a method that will return a boolean false if any
> character that is typically used in sql injection is found).
>
> Each of my form classes has a validator() method. I was thinking of
> creating my own abstract form class
>
> public abstract MyBaseForm() extends DynaValidatorForm {
>
> public boolean validateSQL(String[] fields) {
> // do checks here and return true or false
> }
> }
>
> ----
> and then modify all my form classes to extend MyBaseForm (which extends
> DynaValidatorForm() and in each of my existing Form classes call
> validateSQL() as the first call of each now existing validator() method.
>
> This will be a lot of work because there are over 100 forms and 500+
> fields, is there an easier way? I thought that using the Apache commons
> validator plugin would be best but was told that the validator() method in
> each form class is preferred, but it is turning out to be more work than
> expected.
>
> Any/all other options would be helpful.
>
> thanks
>
>
> J.V.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: user-unsubscribe@struts.**apache.org<us...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
>
>