...
The best defense against code injection vulnerabilities is to avoid including executable user input in code. When dynamic code requires user input, that input must be sanitized. For example, a top-level method could ensure that the string firstName contains only valid, white-listed characters. Refer to the guideline IDS01-J. Sanitize untrusted input before processing or storing itdata passed across a trust boundary for more details. If special characters are allowed in the name, they must be escaped before comparing with their equivalent forms.
...