Re: Prepared Statements

From: Dmitry Tkach <dmitry(at)openratings(dot)com>
To: Fernando Nasser <fnasser(at)redhat(dot)com>
Cc: Oliver Jowett <oliver(at)opencloud(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net>
Subject: Re: Prepared Statements
Date: 2003-07-21 14:18:19
Message-ID: 3F1BF62B.4020609@openratings.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

Fernando Nasser wrote:

> Dima Tkach wrote:
>
>> I was fairly happy with what it used to be - just call setObject ()
>> and be done with it
>
>
> Unfortunately that is not an option as it is a security risk.
>
> You cannot leave a driver out there which allows people to insert
> potentially harmful SQL statements just to make it easier for someone
> to specify a set.

The driver allows people to "insert potentially harmful SQL" *anyway* -
even if every "problem" of this kind with PreparedStatement is fixed,
the *driver* still allows you to send in anything you want by simply
using Statement instead...

You can't possibly hope that JDBC driver will take care of alll of the
security risks for you. If you don't know how to write safe code, you'll
be doomed. If you do, then you do not need help from jdbc driver. JDBC
driver's whole purpose is to provide an abstraction layer between a
database and an application program.
It has nothing to do with security whatsoever.

Dima

In response to

Responses

Browse pgsql-jdbc by date

  From Date Subject
Next Message Dmitry Tkach 2003-07-21 14:24:15 Re: Prepared Statements
Previous Message Dmitry Tkach 2003-07-21 14:14:17 Re: Prepared Statements