What is use of validation.properties for ESAPI.encoder().encodeForSQL in ESAPI
I am using ESPAI for SQLInjection prevention in Java.
I am only using ESAPI.encoder().encodeForSQL(ORACLE_CODEC,queryparam)) method.
If I do not include validation.properties in the esapi.properties I get IllegaleStateException.
Please let me know why encodeForSQL() will require validation.properties.
Answer
I'm actually more concerned that you're using ESAPI to stop SQL Injection. Typically, this is achieved by rewriting the SQL queries in question to parameterized versions, like using PreparedStatement or a JPA implementation that uses PreparedStatement. I just want you to be aware, that using ESAPI to encode for SQL only has the design intent for temporary remediation because a particular query is too complex to rewrite during an incident response situation. If you use encodeForSQL() just note that it is a band-aid solution for the permanent problem of a poorly written SQL query. It should be expected that the query will be rewritten and the need for esapi will go away.
This is because you're not going to get better escaping performance from ESAPI than you will from a properly written PreparedStatement.
There are two files ESAPI requires to function properly. ESAPI.properties and validation.properties. These files are needed because in order for most of the classes to load, they need to read options and settings from these files. You didn't provide a stacktrace, so diagnosing your exact problem will be impossible, but if you supply those files, the problem should go away.