2

Does Java have standard functions for security like in php htmlspecialchars, strip_tags? Or must I write my own functions? I want to be sure my script handles user data safely.

Leigh
  • 28,765
  • 10
  • 55
  • 103
Anton Sementsov
  • 1,196
  • 6
  • 18
  • 34
  • Related: [XSS prevention in Java](http://stackoverflow.com/questions/2658922/xss-prevention-in-java) – BalusC Feb 21 '12 at 18:37

3 Answers3

3

Not exactly.

Protection against injection attacks in Java comes "for free" provided that you do certain things the right way. For example:

  • Don't create SQL by concatenating strings. Instead, create your SQL with placeholders, and compile / execute using JDBC PreparedStatement.

  • In JSPs, use <c:out> to output any data that comes from the user. This automatically HTML escapes it to denature any potential injected nasties.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • i use all things that you type, but data comes from input form by user. If i use PreparedStatement for example, befor adding record to my databese it will check my data? So i don`t need to use such functions on my request parameters, which comes from client? – Anton Sementsov Feb 21 '12 at 10:46
  • It doesn't check the data *per se*. Rather it causes the parameter containing the user's input to be treated as a single SQL data value ... irrespective of any funky quoting, etc that the user might attempt to use in an SQL injection attack. – Stephen C Feb 21 '12 at 11:25
0

you can try spring security library (.jar)
which gives all the features to avoid web related security issues

here is the link
http://static.springsource.org/spring-security/site/

you can also find some help from the owasp.com site
http://owasp.com/index.php/Main_Page

vireshas
  • 806
  • 6
  • 19
-1

This is not a solution, just an advice, when its about security, i never use built in functions, i always write them myself according to client requirements, use RegExp, they are very powerful for this.

JBoy
  • 5,398
  • 13
  • 61
  • 101
  • it's too troublesome, there is no some easy way to do this? – Anton Sementsov Feb 21 '12 at 10:37
  • 4
    It is also bad advice, unless you are better at security than everyone else. (And there is a difference between *thinking* you are better than actually *being* better.) – Stephen C Feb 21 '12 at 10:44
  • Stephen, why would this be a bad advice? you mean that writing your own function is a bad advice? in comparison to use a built in function where you can only see but not edit the source code? – JBoy Feb 24 '12 at 14:51