Menu
We use spring data, the whole point of which is to be able to just use the provided interfaces (such as e.g. CrudRepository) and not have to actually implement stuff.
We have realized that we need to take steps to make sure that our app:
and to me the most logical place do to that would seem to be somewhere high up in the generic db methods that all our repos share. But since they are not implemented anywhere in our code I dont know if this already implemented in spring data or not.
781
You seem to be mixing two very different concerns here, so let's discuss them separately:
The protection against SQL injection is to be found in the corresponding SQL-ish spring-data implementation: JDBC or JPA; so you shouldn't need to worry about it. The generic API doesn't expose anything related to this simply because it's generic and "SQL injection" sounds really weird when you're using HBase, for instance.
Escaping HTML stuff is a whole different thing since it's a concern of your presentation layer, not your data layer. So you can either escape the input at validation time, before sending it to the repository or sanitize the output afterwards, when you want to display stored data in the UI.
As a note, HTML is just one of the formats your data can be delivered as. If you later on need to also produce JSON or CSV, you will end up mixing escapes for different formats in the database. This is an obvious reason why escaping is not part of the DAO layer and why output sanitization is the safe way to go here.
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
