...
The best defense against code injection vulnerabilities is to avoid including executable user input in code. If some dynamic code requires certain user input, the input should be sanitized. For example, a top-level method should ensure that the string firstName contains only valid characters. Refer to the guideline IDS08IDS01-J. Sanitize before processing or storing user input for more details.
...