CSRF, XSS and SQL Injection attack prevention in JSF<p>Welcome, #{user.name}</

1. CSRF, XSS and SQL Injection attack prevention in JSF
2. <p>Welcome, #{user.name}</p>
3.  
4. <h:outputText value="#{user.name}" escape="false" />
5.  
6. String sql = "SELECT * FROM user WHERE username = '" + username + "' AND password = md5(" + password + ")";
7. String jpql = "SELECT u FROM User u WHERE u.username = '" + username + "' AND u.password = md5('" + password + "')";
8.  
9. x'; DROP TABLE user; --
10.  
11. String sql = "SELECT * FROM user WHERE username = ? AND password = md5(?)";
12. String jpql = "SELECT u FROM User u WHERE u.username = ?1 AND u.password = md5(?2)";
13.  
14. response.write("<b>" + x + "</b>")
15.  
16. response.write("<b>" + escapePlainTextToHtml(x) + "</b>")