Anyone know a good lib where i can run the strings before they are inserted, that can strip out sql/javascript code? To be run in jsp pages.
Idealy the lib would be:
- Free
- Lightweight
- Easy to use
Thanks in advance to the SO community who will happily reply :)
Apache Commons lang StringEscapeUtils will get you some of the way. It escapes, doesnt strip.
http://commons.apache.org/lang/api/org/apache/commons/lang/StringEscapeUtils.html
Edit: Escaping can save you from injection attacks because it makes sure that the data the user has entered is not executed as code, but always presented as data to the user.
You need to rely on the your database api's mechanism for using parameterized queries. If you're first building an sql string dynamically and then want to sanitize the completed query string, you're doing it wrong. That's just asking for trouble.
Edit: after re-reading your question, it seems I mis-understood what you were asking. I stand by my initial comments as accurate for the sql injection part of your question. For that, you definitely want real query parameters.
As for filtering out javascript, I don't think there's a real standard way to do it yet. I know Jeff posted the code they use here at SO, but I don't have the link handy. If I can find it I'll post it.
Take a look at AntiSamy on OWASP. I think this might be what you are looking for. I do not currently work in Java so I cannot tell you about how it performs.
The what you're saying is that for every possible entry being added to the string I have to remove first the "malicious" data. Yeah it makes sense as I wouldn't be able to tell which was added as an input and what would be part of the query itself.
Ok ty i guess i need to restart changing some code :) still the question for the api still stands :)
The c:out tag by default escapes XML. This can be handy for storing user input, as the bound value will still be the user's input but the source generated by the browser will use escaped entries.
To prevent SQL injection utilize PreparedStatement objects. If you are using some persistence layer, ensure that it is utilizing PreparedStatement objects. With regard to malicious HTML and JavaScript, use . This escapes XML characters by default. You can also use the JSTL function escapeXml found in the fn tld.
Just rephrasing the suggestions given by others here:
The OP wants to prevent SQL and JavaScript injection attacks.
SQL Injection attacks can be prevented by ensuring that parameterized queries/bind variables are utilized to provide user input to the database. In the Java world, the use of PMD (and a PMD rule) and Findbugs (the rules are built into Findbugs by default) will help you determine locations in your code base that are susceptible to SQL injection attacks. OWASP has a good article on preventing SQL injection in Java.
As far as script injection is concerned, the safest way to prevent attacker-injected scripts from being executed is to ensure that user input, when it is used as output, is to be displayed using an encoded format - for web apps, this would be HTML encoding. This OWASP page shows you how to perform HTML encoding in Java.