Back in the scripting language, we are very cautious with what user puts in. We have to validate the max length of the input so it won't cause buffer overflow. We have to remove suspicous characters to prevent system attacks.
Now in java web app, do we still need to do that?
What is the validation required specific for java web app to prevent this kind of attacks?
A good persistence framework can really limit the kinds of cgi-style attacks you need to worry about. The classic CGI attack was to enter extraneous SQL code in the hopes of break database updates. Modern persistence frameworks like EJB, JDO or Hibernate automatically escape special characters in generated SQL calls, make this kind of attack very difficult.