[OWASP-ESAPI] ESAPI SecureStrings
Stephen de Vries
stephen at twisteddelight.org
Thu Apr 2 04:33:03 EDT 2009
> In the web services we develop, we store credit-card information.
> Most people will use Strings to store credit-card info and store an
> encrypted version in the database.
> But Strings in Java are immutable and are not deleted by the garbage
> collection. (what’s new)
Not so. Instances of String created at runtime are treated the same
as any other object and are garbage collected according to the normal
rules. The only types of string that aren't GC'd are those created in
the literal pool, see: http://www.xyzws.com/Javafaq/what-is-string-literal-pool/3
More information about the OWASP-ESAPI