I have a question about where to check user input for clean architecture.
For example, suppose you have an app that saves your name in the DB when you enter it.
SpecificationStates that users can store names of up to 14 characters.
In this case, refer to the figure below.
We believe that Entities is in charge of checking if the name is 14 characters or less.
This is because it is stated in the specifications whether it is 14 characters or less, and we consider this to be a business rule.
Then, as a measure against SQL injection, if the name entered by the user contains dangerous characters that operate the DB,
Suppose I want to implement a process that converts. This "processing to convert dangerous characters that operate DB" is not described in the specifications,
I don't think it's a business rule. Therefore, I think that this process should be described in the outer layer of Entities/Use Cases. Is this idea correct?
We apologize for the inconvenience, but we look forward to hearing from you.
Answer # 1
Then, as a measure against SQL injection, if the name entered by the user contains dangerous characters that operate the DB, we will implement a process to convert it.
If I were to implement it, I wouldn't implement "processing that converts if the name entered by the user contains dangerous characters that operate the DB". I don't check it either. SQL injection can be avoided by using placeholders when issuing SQL, so it is avoided by the implementation around DB (Repository).
SQL injection countermeasures are required because SQL is issued. Not required if saving to a regular file. Since SQL is issued, it is necessary to take measures against SQL injection. So we will deal with it wherever we issue the SQL.
Answer # 2
Then, as a measure against SQL injection, if the name entered by the user contains dangerous characters that operate the DB, we will implement a process to convert it. This "process of converting dangerous characters that operate DB" is not described in the specifications, so I think that it cannot be said to be a business rule.
Therefore, I think that this process should be described in the outer layer of Entities/Use Cases. Is this idea correct?
I don't understand the meaning of "description", but it is not necessary to write the contents of SQL injection countermeasures in documents such as specifications and design documents one by one. This is because "SQL injection countermeasures are commonplace". You don't have to write as much as you don't write to connect to the database server before each SQL call.
Then, where to write it is somewhere in the implementation rule book, or in the method design document etc., describe the method of SQL call (including O/R mapper etc.), and SQL injection countermeasures are automatically taken in it. Make sure you are.
In this way, it is sufficient if the document for countermeasures against implementation vulnerabilities such as SQL injection is comprehensively described in the system (in some cases, within the department), and it is not described in the document for each processing part. ..
- duplicate check for multiple java input fields
- java - how to check the validation of the data part after calling the api
- java - i want to display the input screen and the output result on the same screen
- sql server - i want to know the behavior of null check in the where clause
- java - can i erase line breaks on standard input?
- java - program to check dominance
- java - in spring boot, i want to check duplicates when registering new data
- java - i want to input multiple times with scanner
- java - a description of processing according to input conditions from the command line
- java - how to convert to command line input format
- java - cannot check array duplication
- java - i want to implement start tag end tag check of html validation without using regular expressions
- i want to check the format using regular expressions in java
- [java] i want to prohibit input of only blanks using regular expressions
- java path class file existence check
- java - [spring] where is @transactional better assigned?
- java - spring boot 23 validation (@validate) check does not get caught
- vba - input duplication check under specific conditions in excel
- java - i want to check if multiple numbers are duplicated
- java : Recyclerviev Change List Construction Inside Activity
- java : Install a picture through a gallery with a PERMISSION ANDROID STUDIO
- java : Problem with the display of the GRIDVIEW table on Xperia E5
- java : Android ForeGround Service is removed when screaming the application
- java : Android -Hide SMS
- java : Loading the image WebView Android
- java : Is it possible to reduce the font size in the table or cell size?
- java : Android Studio does not work "RUN". Black color
- java : How to change text TextView from another class?
- java : Blocking screen phone