Re: Prepared Statements - Mailing list pgsql-jdbc

From Dmitry Tkach
Subject Re: Prepared Statements
Date
Msg-id 3F1BF62B.4020609@openratings.com
Whole thread Raw
In response to Re: Prepared Statements  (Fernando Nasser <fnasser@redhat.com>)
List pgsql-jdbc
Fernando Nasser wrote:

> Dima Tkach wrote:
>
>> I was fairly happy with what it used to be - just call setObject ()
>> and be done with it
>
>
> Unfortunately that is not an option as it is a security risk.
>
> You cannot leave a driver out there which allows people to insert
> potentially harmful SQL statements just to make it easier for someone
> to  specify a set.

The driver allows people to "insert potentially harmful SQL" *anyway* -
even if every "problem" of this kind with PreparedStatement is fixed,
the *driver* still allows you to send in anything you want by simply
using Statement instead...

You can't possibly hope that JDBC driver will take care of alll of the
security risks for you. If you don't know how to write safe code, you'll
be doomed. If you do, then you do not need help from jdbc driver. JDBC
driver's whole purpose is to provide an abstraction layer between a
database and an application program.
It has nothing to do with security whatsoever.

Dima



pgsql-jdbc by date:

Previous
From: Dmitry Tkach
Date:
Subject: Re: Prepared Statements
Next
From: Fernando Nasser
Date:
Subject: Re: Prepared Statements