Re: Prepared Statements - Mailing list pgsql-jdbc

From Fernando Nasser
Subject Re: Prepared Statements
Date
Msg-id 3F1BF8A4.4020205@redhat.com
Whole thread Raw
In response to Re: Prepared Statements  (Fernando Nasser <fnasser@redhat.com>)
Responses Re: Prepared Statements
List pgsql-jdbc
Dmitry Tkach wrote:
>
> Two things that stricke me here:
>
> - no mention of "security" stuff whatsoever. The sole purpose of
> PreparedStatement according to this is to "efficiently execute this
> statement multipe times",
> not "to prevent slq injection attacks" or anything like that;
>

Because in "real" prepared statements there is no such risk.  The risk is the
artifact of a bug in our client side simulation of prepared statements (not real
prepared statements as per definition).


> - it is *explicitly* stated that setObject () should be used for
> "arbitrary type conversions";
>

Not that arbitrary.  There is a table specifying for each java type that the
passed object is member of the proper JDBC type for the converted result.  Which
must be the type of the field you are trying to specify the value for.

So it is not that arbitrary.

--
Fernando Nasser
Red Hat - Toronto                       E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9


pgsql-jdbc by date:

Previous
From: Fernando Nasser
Date:
Subject: Re: Prepared Statements
Next
From: Dmitry Tkach
Date:
Subject: Re: Prepared Statements