Re: Prepared Statements - Mailing list pgsql-jdbc

From Oliver Jowett
Subject Re: Prepared Statements
Date
Msg-id 20030721143002.GF2506@opencloud.com
Whole thread Raw
In response to Re: Prepared Statements  (Kim Ho <kho@redhat.com>)
Responses Re: Prepared Statements
Re: Prepared Statements
List pgsql-jdbc
On Mon, Jul 21, 2003 at 10:18:19AM -0400, Dmitry Tkach wrote:

> You can't possibly hope that JDBC driver will take care of alll of the
> security risks for you. If you don't know how to write safe code, you'll
> be doomed. If you do, then you do not need help from jdbc driver. JDBC
> driver's whole purpose is to provide an abstraction layer between a
> database and an application program.
> It has nothing to do with security whatsoever.

This is only true if all DBs use identical SQL syntax, which they don't.
Tried embedding a NUL into a query lately?

Even if it was true, it's still better to have one piece of code that does
the escaping, rather than N different ones. With escaping in the JDBC
driver, you've reduced the scope of the code you need to audit for syntax
from "all query strings and all parameters" to "the JDBC driver's
parameter-escaping code and all query strings".

-O

pgsql-jdbc by date:

Previous
From: Dmitry Tkach
Date:
Subject: Re: Prepared Statements
Next
From: Oliver Jowett
Date:
Subject: Re: Prepared Statements