Re: Prepared Statements
| От | Fernando Nasser |
|---|---|
| Тема | Re: Prepared Statements |
| Дата | |
| Msg-id | 3F1C00F9.2060101@redhat.com обсуждение исходный текст |
| Ответ на | Re: Prepared Statements (Fernando Nasser <fnasser@redhat.com>) |
| Список | pgsql-jdbc |
Dmitry Tkach wrote:> Fernando Nasser wrote: > >> Dmitry Tkach wrote: >> >>> >>> Two things that stricke me here: >>> >>> - no mention of "security" stuff whatsoever. The sole purpose of >>> PreparedStatement according to this is to "efficiently execute this >>> statement multipe times", >>> not "to prevent slq injection attacks" or anything like that; >>> >> >> Because in "real" prepared statements there is no such risk. The risk >> is the artifact of a bug in our client side simulation of prepared >> statements (not real prepared statements as per definition). > > > My point was that the risk exists, when you do *not* use > PreparedStatements, right? > If the purpose of PreparedStatement was to eliminate that risk, it would > have been mentioned. But it is not. Because PreparedStatement has > nothing to do with the security. It is all about efficiency. > I don't agree with your reading. It is not mentioned because it is intrinsically safe. > >>> - it is *explicitly* stated that setObject () should be used for >>> "arbitrary type conversions"; >>> >> >> Not that arbitrary. There is a table specifying for each java type >> that the passed object is member of the proper JDBC type for the >> converted result. Which must be the type of the field you are trying >> to specify the value for. >> >> So it is not that arbitrary. > > > It doesn't say *how* arbitrary. It just says "arbitrary". :-) > If you could only pass objects of types in that table, you would not > need setObject () - just setString(), setInt() etc... would suffice. > The whole idea of setObject () is to be able to pass in an argument for > each there is no specialized setter function. > No, you are misreading the spec. The catch all is there, java class, which result in JAVA_OBJECT. The setObject method is intended to allow conversion between types, which is not possible with the type specific setXXX that always convert to the default type for that method. -- Fernando Nasser Red Hat - Toronto E-Mail: fnasser@redhat.com 2323 Yonge Street, Suite #300 Toronto, Ontario M4P 2C9
В списке pgsql-jdbc по дате отправления: