Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SQL injection and HTML

 
Avi Gafa
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
I have a text box(on a jsp page) which should enable a free txt input including an HTML tags.
Some background:
In my customer page, there is an empty <div> that shoud be filled dinamiclly by calling to my servlet.
my servlet should return a text that can be including an HTML tags and this text will be emmbeded in the div and will be formatted as a regular HTML.
in order to retrive this text, I'm giving my customer a text box where he can put his free text(again, including HTML tags) and I store it in the DB.
my problem is, how to give my customer the ability to put his free text with the HTML tags in the text box and in the DB and to avoid security issuse like SQL injection.

Thanks,
Avi
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34084
337
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Avi,
If you use a PreparedStatement to update the database, it will protect you from SQL injection. For example:



This will automatically escape any of the HTML inside the "?".
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic