I created an advanced filter\query builder in javascript\jquery. It works well so far, but only in the testing environment. I'm building the where statement in the javascript and sending it to the Java servlet along with the $.GET request. For some reason my initial plan included sanitizing the finalized where statement, which I realized before deploying wouldn't work as it would just make the whole thing a string and not executable code.
The where statement is being built off of a JSON Object, and my next through was to just send up the JSON Object and have it build the query where it can sanitize the inputs properly, but json might require a POST to send long queries, which I can't always use because the whole point of this function is to get data back from the servlet.
I'm not sure how to best proceed. Is there some way to sanitize an entire where clause? I thought about removing instances of things like "drop ", "create ", "update " but if an actual legitimate query has something that ends in drop then that wouldn't work either. Any ideas? The best thing for me to do is just limit the size of the query users can build and send it in the GET, but I'm hoping there is a better option.
