Struts 1.3 : Preventing SQL Injection (form.field validation)

["J.V." <jv...@gmail.com>]

Does anyone out there have a method I could use to pass a form field 
variable that would check for all known SQL injection vulnerabilities 
(with regards to the form field only, irrespective of the method of SQL 
execution) and return a true/false if it passes the test?

I have about 100+ forms ( 500+ fields) to validate for SQL injection 
vulnerabilities and was thinking of creating an abstractForm.java class 
and putting the validate method there and calling that in each of the 
MyForm.java classes validate() method.

I thought initially it would be better to move everything over to use 
Apache commons validator, create a global rule and simply apply the 
global rule to every form field but it may be better to take this approach.

Any thoughts on the approach or a validator classs to pattern match the 
field would be helpful (if you have had such a case in the past).

thanks

J.V.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Struts 1.3 : Preventing SQL Injection (form.field validation)

[Anjib Mulepati <an...@hotmail.com>]

Use Filter

On 3/22/2013 7:36 PM, J.V. wrote:
> Does anyone out there have a method I could use to pass a form field 
> variable that would check for all known SQL injection vulnerabilities 
> (with regards to the form field only, irrespective of the method of 
> SQL execution) and return a true/false if it passes the test?
>
> I have about 100+ forms ( 500+ fields) to validate for SQL injection 
> vulnerabilities and was thinking of creating an abstractForm.java 
> class and putting the validate method there and calling that in each 
> of the MyForm.java classes validate() method.
>
> I thought initially it would be better to move everything over to use 
> Apache commons validator, create a global rule and simply apply the 
> global rule to every form field but it may be better to take this 
> approach.
>
> Any thoughts on the approach or a validator classs to pattern match 
> the field would be helpful (if you have had such a case in the past).
>
> thanks
>
> J.V.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Struts 1.3 : Preventing SQL Injection (form.field validation)

[Paul Benedict <pb...@apache.org>]

If you use JDBC prepared statements, you will not have to worry about SQL
injection.

Paul

On Fri, Mar 22, 2013 at 6:36 PM, J.V. <jv...@gmail.com> wrote:

> Does anyone out there have a method I could use to pass a form field
> variable that would check for all known SQL injection vulnerabilities (with
> regards to the form field only, irrespective of the method of SQL
> execution) and return a true/false if it passes the test?
>
> I have about 100+ forms ( 500+ fields) to validate for SQL injection
> vulnerabilities and was thinking of creating an abstractForm.java class and
> putting the validate method there and calling that in each of the
> MyForm.java classes validate() method.
>
> I thought initially it would be better to move everything over to use
> Apache commons validator, create a global rule and simply apply the global
> rule to every form field but it may be better to take this approach.
>
> Any thoughts on the approach or a validator classs to pattern match the
> field would be helpful (if you have had such a case in the past).
>
> thanks
>
> J.V.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: user-unsubscribe@struts.**apache.org<us...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
>
>