| From: | Fernando Nasser <fnasser(at)redhat(dot)com> |
|---|---|
| To: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
| Cc: | Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com>, Oliver Jowett <oliver(at)opencloud(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-21 14:28:52 |
| Message-ID: | 3F1BF8A4.4020205@redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Dmitry Tkach wrote:
>
> Two things that stricke me here:
>
> - no mention of "security" stuff whatsoever. The sole purpose of
> PreparedStatement according to this is to "efficiently execute this
> statement multipe times",
> not "to prevent slq injection attacks" or anything like that;
>
Because in "real" prepared statements there is no such risk. The risk is the
artifact of a bug in our client side simulation of prepared statements (not real
prepared statements as per definition).
> - it is *explicitly* stated that setObject () should be used for
> "arbitrary type conversions";
>
Not that arbitrary. There is a table specifying for each java type that the
passed object is member of the proper JDBC type for the converted result. Which
must be the type of the field you are trying to specify the value for.
So it is not that arbitrary.
--
Fernando Nasser
Red Hat - Toronto E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Jowett | 2003-07-21 14:30:02 | Re: Prepared Statements |
| Previous Message | Dmitry Tkach | 2003-07-21 14:27:30 | Re: Prepared Statements |