Re: prepared statements and sql injection
| От | Oliver Jowett |
|---|---|
| Тема | Re: prepared statements and sql injection |
| Дата | |
| Msg-id | 45368E38.4090008@opencloud.com обсуждение исходный текст |
| Ответ на | prepared statements and sql injection (Tore Halset <halset@pvv.ntnu.no>) |
| Список | pgsql-jdbc |
Tore Halset wrote: > Without specifying a PrepareThreshold, are my sql statements > "unprepared" in the jdbc driver before sent to the server? Or are they > sent to the server as prepared statements? Does the PrepareThreshold > control whether my statements are actually prepared or if the execution > plan are cached? When using the v3 protocol (7.4 servers and later) parameter values are always sent out-of-line from the query. The prepare threshold controls server-side statement reuse (i.e. caching of parse/plan results) only. Even in cases where parameters are interpolated into the query string (e.g. when talking to a pre-7.4 server) the driver makes sure that parameter values are correctly quoted, so as long as you are correctly using parameter placeholders at the JDBC level you shouldn't need to worry about injection vulnerabilities there. -O
В списке pgsql-jdbc по дате отправления: