Re: Prepared Statements

On Tue, 22 Jul 2003 02:30:02 +1200 Oliver Jowett <oliver@opencloud.com> wrote:
> On Mon, Jul 21, 2003 at 10:18:19AM -0400, Dmitry Tkach wrote:

> > You can't possibly hope that JDBC driver will take care of alll of the
> > security risks for you. If you don't know how to write safe code,
> you'll
> > be doomed. If you do, then you do not need help from jdbc driver. JDBC
> > driver's whole purpose is to provide an abstraction layer between a
> > database and an application program.
> > It has nothing to do with security whatsoever.
...
> Even if it was true, it's still better to have one piece of code that
> does
> the escaping, rather than N different ones. With escaping in the JDBC
> driver, you've reduced the scope of the code you need to audit for syntax
> from "all query strings and all parameters" to "the JDBC driver's
> parameter-escaping code and all query strings".

eewwww.

in a multi-tier architecture where the code that actually talks to
the database is isolated from the GUI, this is a totally unreasonable
expectation -- you really need to audit fields in the GUI, not somewhere
way back in the code.

even if PostgreSQL's jdbc driver somehow had wonderful code to handle
security problems, sensible DB independent code will _still_ need to audit
in the GUI because there is no reasonable expectation that all jdbc drivers
that might be used will have similar code.

i understand your desire for a single point of control, but moving this
into the jdbc driver is simply wrong. there are simply better ways;
java/swing/javabeans are powerful tools.

richard
--
Richard Welty                                         rwelty@averillpark.net
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security