| From: | Fernando Nasser <fnasser(at)redhat(dot)com> |
|---|---|
| To: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
| Cc: | Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com>, Oliver Jowett <oliver(at)opencloud(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-21 15:04:25 |
| Message-ID: | 3F1C00F9.2060101@redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Dmitry Tkach wrote:> Fernando Nasser wrote:
>
>> Dmitry Tkach wrote:
>>
>>>
>>> Two things that stricke me here:
>>>
>>> - no mention of "security" stuff whatsoever. The sole purpose of
>>> PreparedStatement according to this is to "efficiently execute this
>>> statement multipe times",
>>> not "to prevent slq injection attacks" or anything like that;
>>>
>>
>> Because in "real" prepared statements there is no such risk. The risk
>> is the artifact of a bug in our client side simulation of prepared
>> statements (not real prepared statements as per definition).
>
>
> My point was that the risk exists, when you do *not* use
> PreparedStatements, right?
> If the purpose of PreparedStatement was to eliminate that risk, it would
> have been mentioned. But it is not. Because PreparedStatement has
> nothing to do with the security. It is all about efficiency.
>
I don't agree with your reading. It is not mentioned because it is
intrinsically safe.
>
>>> - it is *explicitly* stated that setObject () should be used for
>>> "arbitrary type conversions";
>>>
>>
>> Not that arbitrary. There is a table specifying for each java type
>> that the passed object is member of the proper JDBC type for the
>> converted result. Which must be the type of the field you are trying
>> to specify the value for.
>>
>> So it is not that arbitrary.
>
>
> It doesn't say *how* arbitrary. It just says "arbitrary". :-)
> If you could only pass objects of types in that table, you would not
> need setObject () - just setString(), setInt() etc... would suffice.
> The whole idea of setObject () is to be able to pass in an argument for
> each there is no specialized setter function.
>
No, you are misreading the spec. The catch all is there, java class, which
result in JAVA_OBJECT.
The setObject method is intended to allow conversion between types, which is not
possible with the type specific setXXX that always convert to the default type
for that method.
--
Fernando Nasser
Red Hat - Toronto E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Jowett | 2003-07-21 15:07:02 | Re: Prepared Statements |
| Previous Message | Richard Welty | 2003-07-21 15:01:56 | Re: Prepared Statements |