Re: Prepared Statements - Mailing list pgsql-jdbc

From Fernando Nasser
Subject Re: Prepared Statements
Date
Msg-id 3F1C00F9.2060101@redhat.com
Whole thread Raw
In response to Re: Prepared Statements  (Fernando Nasser <fnasser@redhat.com>)
List pgsql-jdbc
Dmitry Tkach wrote:> Fernando Nasser wrote:
>
>> Dmitry Tkach wrote:
>>
>>>
>>> Two things that stricke me here:
>>>
>>> - no mention of "security" stuff whatsoever. The sole purpose of
>>> PreparedStatement according to this is to "efficiently execute this
>>> statement multipe times",
>>> not "to prevent slq injection attacks" or anything like that;
>>>
>>
>> Because in "real" prepared statements there is no such risk.  The risk
>> is the artifact of a bug in our client side simulation of prepared
>> statements (not real prepared statements as per definition).
>
>
> My point was that  the risk exists, when you do *not* use
> PreparedStatements, right?
> If the purpose of PreparedStatement was to eliminate that risk, it would
> have been mentioned. But it is not. Because PreparedStatement has
> nothing to do with the security. It is all about efficiency.
>

I don't agree with your reading.  It is not mentioned because it is
intrinsically safe.


>
>>> - it is *explicitly* stated that setObject () should be used for
>>> "arbitrary type conversions";
>>>
>>
>> Not that arbitrary.  There is a table specifying for each java type
>> that the passed object is member of the proper JDBC type for the
>> converted result.  Which must be the type of the field you are trying
>> to specify the value for.
>>
>> So it is not that arbitrary.
>
>
> It doesn't say *how* arbitrary. It just says "arbitrary". :-)
> If you could only pass objects of types in that table, you would not
> need setObject () - just setString(), setInt() etc... would suffice.
> The whole idea of setObject () is to be able to pass in an argument for
> each there is no specialized setter function.
>

No, you are misreading the spec.  The catch all is there, java class, which
result in JAVA_OBJECT.

The setObject method is intended to allow conversion between types, which is not
possible with the type specific setXXX that always convert to the default type
for that method.

--
Fernando Nasser
Red Hat - Toronto                       E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9


pgsql-jdbc by date:

Previous
From: Dmitry Tkach
Date:
Subject: Re: Prepared Statements
Next
From: Fernando Nasser
Date:
Subject: Re: Prepared Statements