Global request parameter filtering

[Mike Whittaker <mi...@ntlworld.com>]

Say for instance you want to filter for all the ' " \ characters in request
parameters
either removing them, or escaping them.

Either way if you do it before the action form gets them, then on
prepopulation of form fields the user will see these alterations (not
desirable).
If you do it after you decide the form won't be returned then:

a) It becomes difficult because you have just form bean method calls to get
the parameters something like filter(getMyString()) becomes a pain and open
to missing out the filtering with potentially disastorous consequences!

b) If you decided to somehow globally alter a session scoped form then again
you have prepopulation alterations.

I have seen that RequestProcessor may offer hope, I'd like to know the order
that these RP methods are called.

I realise that I could use BeanUtils and make a DynaBean copy of a form
bean, filtering the parameters during the copy.  Just seems overkill, and
yet another object in the request.

Any pointers?
How do you filter your sql sensitive characters?

--
Mike W


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org