> If using a PreparedStatement the driver correctly escapes all values to
> avoid SQL injection attacks. While this can also be done when using a
> regular Statement object, it is then the resposibility of the programmer
> to a) remember they need to escape, b) know specificially how postgresql
> needs things escaped, and c) to actually escape all user input.
> Invariably this will be forgotten some of the time and therefore I would
> always recommend using PreparedStatements when you don't have control over
> the values that are being used in the SQL statements.
This is a corrolary to your point b, but one of the most convincing
argument I've ever heard for using prepared statements is when you change
databases you don't have to check and possibly modify all of your escaping
code. You also don't have to check any code you use for formatting
numbers, dates, booleans, etc.
Michael
--
Web Applications Developer
Open World Ltd, 11 Riverside Court, Riverside Road, Bath, BA2 3DZ.
Tel: +44 1225 444950 Fax: +44 1225 336738 http://www.openworld.co.uk/
CONFIDENTIALITY NOTICE
The information contained in this message is confidential, intended only
for the use of the individual or the entity named as recipient. If the
reader of this message is not that recipient, you are notified that any
dissemination, distribution or copy of this message is strictly
prohibited. If you have received this message in error, please immediately
notify us by telephone on the number above. Your co-operation is
appreciated.