Re: Prepared Statements
| От | Fernando Nasser |
|---|---|
| Тема | Re: Prepared Statements |
| Дата | |
| Msg-id | 3F16C79B.9040806@redhat.com обсуждение исходный текст |
| Ответ на | Prepared Statements (Julien Le Goff <julien.legoff@laposte.net>) |
| Список | pgsql-jdbc |
To solve this problem we have stored procedures, know in PostgreSQL land as 'functions'. Dmitry Tkach wrote:>> >> Forget performance for a moment and consider database security. Lets >> imagine that you have an address book table called address_book >> >> CREATE TABLE address_booK >> ( >> name varchar(30), >> address text >> ); >> >> and you want to select a row by name. You might write >> >> String query = "SELECT * from address_book WHERE name = "+strName >> >> where strName was typed in by the user. What would happen if the user >> typed: >> >> joe;delete from address_book > > > > > Either the exact same thing as what you describe below with the > PreparedStatement, or a syntax eror if you forget to put the user's > input into quotes when constracting your sql :-) > >> >> This is a security hole known as SQL injection. > > > No, it isn't :-) > The "hole" you are referring to is letting the users type in entire > queries, not just input parameters. > As long as you have control over how your sql is constructed, you not > any less (nor any more) safe with plain Statements than you would be > with PreparedStatements. The do the same exact thing. > > Dima > >> If you are using a normal Statement then your users can probably >> delete whole tables from the database but with a PreparedStatement you >> would write >> >> String query = "SELECT * from address_book WHERE name = ?" >> >> and the command actually passed over to the database would be >> >> SELECT * from address_book WHERE name = 'joe;delete from address_book' >> >> I'm sure you can see the difference. Maybe PreparedStatements will >> have a performance gain in some future release but at the moment they >> have a vital role to play in database security. >> > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > -- Fernando Nasser Red Hat - Toronto E-Mail: fnasser@redhat.com 2323 Yonge Street, Suite #300 Toronto, Ontario M4P 2C9
В списке pgsql-jdbc по дате отправления: