| From: | Oliver Jowett <oliver(at)opencloud(dot)com> |
|---|---|
| To: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
| Cc: | Fernando Nasser <fnasser(at)redhat(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-21 15:11:10 |
| Message-ID: | 20030721151110.GL2506@opencloud.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On Mon, Jul 21, 2003 at 10:39:11AM -0400, Dmitry Tkach wrote:
> Oliver Jowett wrote:
>
> >Even if it was true, it's still better to have one piece of code that does
> >the escaping, rather than N different ones. With escaping in the JDBC
> >driver, you've reduced the scope of the code you need to audit for syntax
> >from "all query strings and all parameters" to "the JDBC driver's
> >parameter-escaping code and all query strings".
> >
> >
> >
>
> Sure. And that's good.
> That's precisely the point - if you guys start taking functionality
> away, so that I am not longer able to do things with it that I used to
> be able to do, then I will not be able to benefit from it as much as I
> used to - I'll have to switch from PreparedStatements to Statements and
> do all that escaping/parsing on my own.
> That's exactly what I am trying to avoid
The functionality we are "taking away" allows you to bypass the JDBC
driver's parameter escaping. You can't have it both ways.
-O
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Csaba Nagy | 2003-07-21 15:11:36 | Re: Prepared Statements |
| Previous Message | Oliver Jowett | 2003-07-21 15:07:02 | Re: Prepared Statements |