java - What is use of validation.properties for ESAPI.encoder().encodeForSQL in ESAPI -

i using espai sqlinjection prevention in java. using esapi.encoder().encodeforsql(oracle_codec,queryparam)) method.

if not include validation.properties in esapi.properties illegalestateexception.

please let me know why encodeforsql() require validation.properties.

i'm more concerned you're using esapi stop sql injection. typically, achieved rewriting sql queries in question parameterized versions, using preparedstatement or jpa implementation uses preparedstatement. want aware, using esapi encode sql has design intent temporary remediation because particular query complex rewrite during incident response situation. if use encodeforsql() just note band-aid solution permanent problem of poorly written sql query. should expected query rewritten , need esapi go away.

this because you're not going better escaping performance esapi written preparedstatement.

there 2 files esapi requires function properly. esapi.properties , validation.properties. these files needed because in order of classes load, need read options , settings these files. didn't provide stacktrace, diagnosing exact problem impossible, if supply files, problem should go away.

esapi.properties validation.propeties