From: | Oliver Jowett <oliver(at)opencloud(dot)com> |
---|---|
To: | Richard Welty <rwelty(at)averillpark(dot)net> |
Cc: | pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org> |
Subject: | Re: Prepared Statements |
Date: | 2003-07-21 15:14:13 |
Message-ID: | 20030721151413.GM2506@opencloud.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
On Mon, Jul 21, 2003 at 11:01:56AM -0400, Richard Welty wrote:
> On Tue, 22 Jul 2003 02:30:02 +1200 Oliver Jowett <oliver(at)opencloud(dot)com> wrote:
> > On Mon, Jul 21, 2003 at 10:18:19AM -0400, Dmitry Tkach wrote:
>
> > > You can't possibly hope that JDBC driver will take care of alll of the
> > > security risks for you. If you don't know how to write safe code,
> > you'll
> > > be doomed. If you do, then you do not need help from jdbc driver. JDBC
> > > driver's whole purpose is to provide an abstraction layer between a
> > > database and an application program.
> > > It has nothing to do with security whatsoever.
> ...
> > Even if it was true, it's still better to have one piece of code that
> > does
> > the escaping, rather than N different ones. With escaping in the JDBC
> > driver, you've reduced the scope of the code you need to audit for syntax
> > from "all query strings and all parameters" to "the JDBC driver's
> > parameter-escaping code and all query strings".
>
> eewwww.
>
> in a multi-tier architecture where the code that actually talks to
> the database is isolated from the GUI, this is a totally unreasonable
> expectation -- you really need to audit fields in the GUI, not somewhere
> way back in the code.
I was very careful to say "audit for syntax". You certainly want to make
sure you have input validation earlier on, too! -- but you don't need to
worry about, for example, correctly escaping strings that could validly have
a bare "'" in them before you pass them to the DB.
-O
From | Date | Subject | |
---|---|---|---|
Next Message | Dmitry Tkach | 2003-07-21 15:14:29 | Re: Prepared Statements |
Previous Message | Csaba Nagy | 2003-07-21 15:11:36 | Re: Prepared Statements |