[OWASP-ESAPI] ESAPI SecureStrings

Stephen de Vries stephen at twisteddelight.org
Thu Apr 2 04:33:03 EDT 2009


>
> In the web services we develop, we store credit-card information.
> Most people will use Strings to store credit-card info and store an  
> encrypted version in the database.
>
> But Strings in Java are immutable and are not deleted by the garbage  
> collection. (what’s new)

Not so.  Instances of String created at runtime are treated the same  
as any other object and are garbage collected according to the normal  
rules.  The only types of string that aren't GC'd are those created in  
the literal pool, see: http://www.xyzws.com/Javafaq/what-is-string-literal-pool/3


Stephen


More information about the OWASP-ESAPI mailing list