Re: Prepared Statements

Dima Tkach wrote:

> I was fairly happy with what it used to be - just call setObject () and
> be done with it

Unfortunately that is not an option as it is a security risk.

You cannot leave a driver out there which allows people to insert
potentially harmful SQL statements just to make it easier for someone to
  specify a set.

In any case, I wonder if all PreparedStatements won't be server side
only one day as the client side interface was created to fill in for the
lack of that in older backends.  Once that happens and the V3 protocol
is used (7.4+ backends) I doubt that SQL injection, and the hack to set
IN arguments, will work.

Regards to all,
Fernando

--
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9