You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by "J.V." <jv...@gmail.com> on 2013/03/26 23:15:27 UTC

common validator

I have to add checking each and every form field in my application for 
sql injection attacks (I need a method that will return a boolean false 
if any character that is typically used in sql injection is found).

Each of my form classes has a validator() method.  I was thinking of 
creating my own abstract form class

public abstract MyBaseForm() extends DynaValidatorForm {

     public boolean validateSQL(String[] fields) {
         // do checks here and return true or false
    }
}

----
and then modify all my form classes to extend MyBaseForm (which extends 
DynaValidatorForm() and in each of my existing Form classes call 
validateSQL() as the first call of each now existing validator() method.

This will be a lot of work because there are over 100 forms and 500+ 
fields, is there an easier way?  I thought that using the Apache commons 
validator plugin would be best but was told that the validator() method 
in each form class is preferred, but it is turning out to be more work 
than expected.

Any/all other options would be helpful.

thanks


J.V.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: common validator

Posted by Muralidhar Yaragalla <ja...@gmail.com>.

have u tried "PreparedStatement" and see how it goes with SQL injection.
Long back i have done some work on this. So I dont remember exactly but i
think this can solve.


On Wed, Mar 27, 2013 at 3:45 AM, J.V. <jv...@gmail.com> wrote:

> I have to add checking each and every form field in my application for sql
> injection attacks (I need a method that will return a boolean false if any
> character that is typically used in sql injection is found).
>
> Each of my form classes has a validator() method.  I was thinking of
> creating my own abstract form class
>
> public abstract MyBaseForm() extends DynaValidatorForm {
>
>     public boolean validateSQL(String[] fields) {
>         // do checks here and return true or false
>    }
> }
>
> ----
> and then modify all my form classes to extend MyBaseForm (which extends
> DynaValidatorForm() and in each of my existing Form classes call
> validateSQL() as the first call of each now existing validator() method.
>
> This will be a lot of work because there are over 100 forms and 500+
> fields, is there an easier way?  I thought that using the Apache commons
> validator plugin would be best but was told that the validator() method in
> each form class is preferred, but it is turning out to be more work than
> expected.
>
> Any/all other options would be helpful.
>
> thanks
>
>
> J.V.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: user-unsubscribe@struts.**apache.org<us...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
Thanks And Regards,
*Muralidhar Yaragalla.
*

Re: common validator

Posted by Paul Benedict <pb...@apache.org>.

Do not use UI validation to defend against SQL Injection Attacks. That's
the job of JDBC Prepared Statements.

Paul

On Tue, Mar 26, 2013 at 5:15 PM, J.V. <jv...@gmail.com> wrote:

> I have to add checking each and every form field in my application for sql
> injection attacks (I need a method that will return a boolean false if any
> character that is typically used in sql injection is found).
>
> Each of my form classes has a validator() method.  I was thinking of
> creating my own abstract form class
>
> public abstract MyBaseForm() extends DynaValidatorForm {
>
>     public boolean validateSQL(String[] fields) {
>         // do checks here and return true or false
>    }
> }
>
> ----
> and then modify all my form classes to extend MyBaseForm (which extends
> DynaValidatorForm() and in each of my existing Form classes call
> validateSQL() as the first call of each now existing validator() method.
>
> This will be a lot of work because there are over 100 forms and 500+
> fields, is there an easier way?  I thought that using the Apache commons
> validator plugin would be best but was told that the validator() method in
> each form class is preferred, but it is turning out to be more work than
> expected.
>
> Any/all other options would be helpful.
>
> thanks
>
>
> J.V.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: user-unsubscribe@struts.**apache.org<us...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
>
>