

Java Best Practices - turingbook
http://jdevelopment.nl/java-best-practices/

======
raganwald
_Not validating user input should have nothing to do with SQL or XSS or any
other kind of security pratice. Validation of input has to do with business
logic. Sanitizing input is another thing altogether. trying to do both at once
is usually pessimal. For example, if you use input validation to prevent SQL
injection, you might prohibit the ' character in input fields. This is
guaranteed to annoy everyone named "O'Grady." Likewise, if you use input
validation to prevent people from entering <script>, you will be shocked when
you discover the entertaining ways people have of routing around your
homebrewed "filters." Far better to make sure your display layer knows how to
display any user input without inserting it as raw HTML._

 _And of course, if you're composing SQL queries by catenating string
stogether, you do not need to validate input, you do not need "best"
practices, you need basic training. There's a difference._

