Re: Prepared Statements
От | Csaba Nagy |
---|---|
Тема | Re: Prepared Statements |
Дата | |
Msg-id | 1058454878.25132.214.camel@coppola.ecircle.de обсуждение исходный текст |
Ответ на | Re: Prepared Statements (Dmitry Tkach <dmitry@openratings.com>) |
Ответы |
Re: Prepared Statements
|
Список | pgsql-jdbc |
On Thu, 2003-07-17 at 16:47, Dmitry Tkach wrote: [snip] > > > > This is a security hole known as SQL injection. > > No, it isn't :-) > The "hole" you are referring to is letting the users type in entire > queries, not just input parameters. > As long as you have control over how your sql is constructed, you not > any less (nor any more) safe with plain Statements than you would be > with PreparedStatements. The do the same exact thing. In my understanding the prepared statement will properly escape any parameter so it can be trusted that the resulting query will not contain something you wouldn't expect. Example (< and > are delimiters, ignore them): query: <SELECT * from address_book WHERE name = ?> input: <joe';delete from address_book where 'true> result if you just replace the <?> with <'$input'>: SELECT * from address_book WHERE name = 'joe';delete from address_book where 'true' -> results in 2 statements executed result if you use prepared statement: SELECT * from address_book WHERE name = 'joe\';delete from address_book where \'true' As you can see, the "clever" injection attack is still rejected through escaping the <'> characters. You can't possibly cause SQL injection while using prepared statements. Cheers, Csaba. > > Dima > > > If you are using a normal Statement then your users can probably > > delete whole tables from the database but with a PreparedStatement you > > would write > > > > String query = "SELECT * from address_book WHERE name = ?" > > > > and the command actually passed over to the database would be > > > > SELECT * from address_book WHERE name = 'joe;delete from address_book' > > > > I'm sure you can see the difference. Maybe PreparedStatements will > > have a performance gain in some future release but at the moment they > > have a vital role to play in database security. > > > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org >
В списке pgsql-jdbc по дате отправления: