| From: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
|---|---|
| To: | Fernando Nasser <fnasser(at)redhat(dot)com> |
| Cc: | Oliver Jowett <oliver(at)opencloud(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-21 14:18:19 |
| Message-ID: | 3F1BF62B.4020609@openratings.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Fernando Nasser wrote:
> Dima Tkach wrote:
>
>> I was fairly happy with what it used to be - just call setObject ()
>> and be done with it
>
>
> Unfortunately that is not an option as it is a security risk.
>
> You cannot leave a driver out there which allows people to insert
> potentially harmful SQL statements just to make it easier for someone
> to specify a set.
The driver allows people to "insert potentially harmful SQL" *anyway* -
even if every "problem" of this kind with PreparedStatement is fixed,
the *driver* still allows you to send in anything you want by simply
using Statement instead...
You can't possibly hope that JDBC driver will take care of alll of the
security risks for you. If you don't know how to write safe code, you'll
be doomed. If you do, then you do not need help from jdbc driver. JDBC
driver's whole purpose is to provide an abstraction layer between a
database and an application program.
It has nothing to do with security whatsoever.
Dima
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dmitry Tkach | 2003-07-21 14:24:15 | Re: Prepared Statements |
| Previous Message | Dmitry Tkach | 2003-07-21 14:14:17 | Re: Prepared Statements |