javasecurityjspsql-injectionjavascript-injection

Lib to protect SQL/javascript injection for java/jsp


Anyone know a good lib where i can run the strings before they are inserted, that can strip out sql/javascript code? To be run in jsp pages.

Idealy the lib would be:

Thanks in advance to the SO community who will happily reply :)


Solution

  • Apache Commons lang StringEscapeUtils will get you some of the way. It escapes, doesnt strip.

    http://commons.apache.org/lang/api/org/apache/commons/lang/StringEscapeUtils.html

    Edit: Escaping can save you from injection attacks because it makes sure that the data the user has entered is not executed as code, but always presented as data to the user.