Re: Prepared Statements
| От | Dmitry Tkach |
|---|---|
| Тема | Re: Prepared Statements |
| Дата | |
| Msg-id | 3F1BF62B.4020609@openratings.com обсуждение исходный текст |
| Ответ на | Re: Prepared Statements (Fernando Nasser <fnasser@redhat.com>) |
| Список | pgsql-jdbc |
Fernando Nasser wrote: > Dima Tkach wrote: > >> I was fairly happy with what it used to be - just call setObject () >> and be done with it > > > Unfortunately that is not an option as it is a security risk. > > You cannot leave a driver out there which allows people to insert > potentially harmful SQL statements just to make it easier for someone > to specify a set. The driver allows people to "insert potentially harmful SQL" *anyway* - even if every "problem" of this kind with PreparedStatement is fixed, the *driver* still allows you to send in anything you want by simply using Statement instead... You can't possibly hope that JDBC driver will take care of alll of the security risks for you. If you don't know how to write safe code, you'll be doomed. If you do, then you do not need help from jdbc driver. JDBC driver's whole purpose is to provide an abstraction layer between a database and an application program. It has nothing to do with security whatsoever. Dima
В списке pgsql-jdbc по дате отправления: