Talk:JSP JSTL

A few things need clarification:
 * cookie - anything juicy? I can't remember what my problem was with this implicit object.
 *  - splitting?
 * ,  - I hear these use prepared statements. Can anyone think of ways of misuse still?

here's what i cut:

   SELECT * FROM mytable WHERE name='<%=request.getParameter("taintme")%>'     INSERT INTO mytable VALUES (2,'<%=request.getParameter("taintme")%>') 
 * This tag can execute its body as a sql statement.
 * It can also execute it’s sql attribute as a query.
 * Have not been able to prove sql injection, either way, it seems this tight coupling is bad practice unless we're talking about a small app... thoughts?

 Cleanser sort of? Works like prepared statements.  SELECT * FROM mytable WHERE name= ? "/> 
 * Parameterized SQL statements – replace each ‘?’ with a parameter.