| From: | Fernando Nasser <fnasser(at)redhat(dot)com> |
|---|---|
| To: | Dima Tkach <dmitry(at)openratings(dot)com> |
| Cc: | Oliver Jowett <oliver(at)opencloud(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-21 12:19:19 |
| Message-ID: | 3F1BDA47.4090709@redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Dima Tkach wrote:
> I was fairly happy with what it used to be - just call setObject () and
> be done with it
Unfortunately that is not an option as it is a security risk.
You cannot leave a driver out there which allows people to insert
potentially harmful SQL statements just to make it easier for someone to
specify a set.
In any case, I wonder if all PreparedStatements won't be server side
only one day as the client side interface was created to fill in for the
lack of that in older backends. Once that happens and the V3 protocol
is used (7.4+ backends) I doubt that SQL injection, and the hack to set
IN arguments, will work.
Regards to all,
Fernando
--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Satyajit Das | 2003-07-21 13:02:57 | Re: Sql Types Supported |
| Previous Message | Arun Desai | 2003-07-21 11:33:58 | Re: Number of function parameter |