Re: [JDBC] Prepared statement performance... - Mailing list pgsql-general

From Peter Kovacs
Subject Re: [JDBC] Prepared statement performance...
Date
Msg-id 00fe01c27353$9d67caa0$55550a8b@ACER
Whole thread Raw
In response to Re: [JDBC] Prepared statement performance...  (Curt Sampson <cjs@cynic.net>)
List pgsql-general
> > The uses of the Statement object and PreparedStatement object do not
> > IMHO have anything to do with you many times you use them.  They have to
> > do with how you supply values in the sql statement.  If you use just the
> > Statement object you are required to know the postgres date format in
> > order to include a date value, where it is much easier (and more
> > portable across databases) to just use a PreparedStatement, a ?, and a
> > setDate() call.
>
> I agree entirely. Even more importantly, it's much, much more difficult
> to write a secure application (one not subject to SQL injection attacks)
> if you are forced to quote data yourself. The driver already knows how
> to deal with any string you pass to it; why would you want to re-write
> that code, possibily introducing errors into it? (For those not familiar
> with SQL injection attacks, I'm referring to the situation where someone
> types, say, "foo'; DROP TABLE bar;" into the "Name" field on your web
> form, or whatever.)
>

I do not clearly understand what the problem is with someone typing in
"foo'; DROP TABLE bar;" into the "Name" field on your web form.



pgsql-general by date:

Previous
From: Tommi Maekitalo
Date:
Subject: Re: Migrating from Informix to Postgre
Next
From: "Benny"
Date:
Subject: Opening postgres 5432 port