Re: prepared statements and sql injection

From: Oliver Jowett <oliver(at)opencloud(dot)com>
To: Tore Halset <halset(at)pvv(dot)ntnu(dot)no>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: prepared statements and sql injection
Date: 2006-10-18 20:27:36
Message-ID: 45368E38.4090008@opencloud.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

Tore Halset wrote:

> Without specifying a PrepareThreshold, are my sql statements
> "unprepared" in the jdbc driver before sent to the server? Or are they
> sent to the server as prepared statements? Does the PrepareThreshold
> control whether my statements are actually prepared or if the execution
> plan are cached?

When using the v3 protocol (7.4 servers and later) parameter values are
always sent out-of-line from the query. The prepare threshold controls
server-side statement reuse (i.e. caching of parse/plan results) only.

Even in cases where parameters are interpolated into the query string
(e.g. when talking to a pre-7.4 server) the driver makes sure that
parameter values are correctly quoted, so as long as you are correctly
using parameter placeholders at the JDBC level you shouldn't need to
worry about injection vulnerabilities there.

-O

In response to

Browse pgsql-jdbc by date

  From Date Subject
Next Message Dave Cramer 2006-10-19 22:44:36 JDBC CTS failures
Previous Message Tore Halset 2006-10-18 19:15:03 prepared statements and sql injection