Re: Prepared Statements

On Mon, Jul 21, 2003 at 10:18:19AM -0400, Dmitry Tkach wrote:

> You can't possibly hope that JDBC driver will take care of alll of the
> security risks for you. If you don't know how to write safe code, you'll
> be doomed. If you do, then you do not need help from jdbc driver. JDBC
> driver's whole purpose is to provide an abstraction layer between a
> database and an application program.
> It has nothing to do with security whatsoever.

This is only true if all DBs use identical SQL syntax, which they don't.
Tried embedding a NUL into a query lately?

Even if it was true, it's still better to have one piece of code that does
the escaping, rather than N different ones. With escaping in the JDBC
driver, you've reduced the scope of the code you need to audit for syntax
from "all query strings and all parameters" to "the JDBC driver's
parameter-escaping code and all query strings".

-O