...
The best defense against code injection vulnerabilities is to avoid including executable user input in code. When dynamic code requires user input, that input must be sanitized. For example, a top-level method could ensure that the string firstName
contains only valid, white-listed characters. Refer to the guideline IDS01-J. Carefully filter any data that passes through a trust boundarySanitize before processing or storing user input for more details. If special characters are allowed in the name, they must be escaped before comparing with their equivalent forms.
...