org.owasp.esapi

Class PreparedString

java.lang.Object

org.owasp.esapi.PreparedString

public class PreparedString
extends java.lang.Object

A parameterized string that uses escaping to make untrusted data safe before combining it with a command or query intended for use in an interpreter.

 
 PreparedString div = new PreparedString( "<a href=\"http:\\\\example.com?id=?\" onmouseover=\"alert('?')\">test</a>", new HTMLEntityCodec() );
 div.setURL( 1, request.getParameter( "url" ), new PercentCodec() );
 div.set( 2, request.getParameter( "message" ), new JavaScriptCodec() );
 out.println( div.toString() );
 
 // escaping for SQL
 PreparedString query = new PreparedString( "SELECT * FROM users WHERE name='?' AND password='?'", new OracleCodec() );
 query.set( 1, request.getParameter( "name" ) );
 query.set( 2, request.getParameter( "pass" ) );
 stmt.execute( query.toString() );
 

Since:

June 1, 2007

Field Summary

Fields

Modifier and Type	Field and Description
(package private) Codec	codec
private static char[]	IMMUNE
(package private) char	parameterCharacter
(package private) java.lang.String[]	parameters
(package private) java.util.ArrayList	parts

Constructor Summary

Constructors

Constructor and Description
PreparedString(java.lang.String template, char parameterCharacter, Codec codec) Create a PreparedString with the supplied template, parameter placeholder character, and Codec.
PreparedString(java.lang.String template, Codec codec) Create a PreparedString with the supplied template and Codec.

Method Summary

Modifier and Type	Method and Description
void	set(int index, java.lang.String value) Set the parameter at index with supplied value using the default Codec to escape.
void	set(int index, java.lang.String value, Codec codec) Set the parameter at index with supplied value using the supplied Codec to escape.
private void	split(java.lang.String str, char c) Split a string with a particular character.
java.lang.String	toString() Render the PreparedString by combining the template with properly escaped parameters.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

parameterCharacter

char parameterCharacter

codec

Codec codec

parameters

java.lang.String[] parameters

parts

java.util.ArrayList parts

IMMUNE

private static final char[] IMMUNE

Constructor Detail

PreparedString

public PreparedString(java.lang.String template,
                      Codec codec)

Create a PreparedString with the supplied template and Codec. The template should use the default parameter placeholder character (?) in the place where actual parameters are to be inserted. The supplied Codec will be used to escape characters in calls to set, unless a specific Codec is provided to override it.

Parameters:

template -

codec -

PreparedString

public PreparedString(java.lang.String template,
                      char parameterCharacter,
                      Codec codec)

Create a PreparedString with the supplied template, parameter placeholder character, and Codec. The parameter character can be any character, but should not be one that will be used in the template. The parameter character can safely be used in a parameter passed into the set methods.

Parameters:

template -

parameterCharacter -

codec -

Method Detail

split

private void split(java.lang.String str,
                   char c)

Split a string with a particular character.

Parameters:

str -

c -

set

public void set(int index,
                java.lang.String value)

Set the parameter at index with supplied value using the default Codec to escape.

Parameters:

index -

value -

set

public void set(int index,
                java.lang.String value,
                Codec codec)

Set the parameter at index with supplied value using the supplied Codec to escape.

Parameters:

index -

value -

codec -

toString

public java.lang.String toString()

Render the PreparedString by combining the template with properly escaped parameters.

Overrides:

toString in class java.lang.Object