Thread: prepared statements and sql injection

prepared statements and sql injection

From
Tore Halset
Date:
Hello.

Sorry for asking this newbie-question, but reading the following web
page made me get a bit paranoid..

http://jdbc.postgresql.org/documentation/81/server-prepare.html

I am a bit concerned about "There are a number of ways to enable
server side prepared statements depending on your application's
needs". I am using prepared statements to be sure that my application
are not vulnerable to sql injection attacks, but I do not specify a
"prepare threshold". Should I?

Without specifying a PrepareThreshold, are my sql statements
"unprepared" in the jdbc driver before sent to the server? Or are
they sent to the server as prepared statements? Does the
PrepareThreshold control whether my statements are actually prepared
or if the execution plan are cached?

  - Tore.

Re: prepared statements and sql injection

From
Oliver Jowett
Date:
Tore Halset wrote:

> Without specifying a PrepareThreshold, are my sql statements
> "unprepared" in the jdbc driver before sent to the server? Or are  they
> sent to the server as prepared statements? Does the  PrepareThreshold
> control whether my statements are actually prepared  or if the execution
> plan are cached?

When using the v3 protocol (7.4 servers and later) parameter values are
always sent out-of-line from the query. The prepare threshold controls
server-side statement reuse (i.e. caching of parse/plan results) only.

Even in cases where parameters are interpolated into the query string
(e.g. when talking to a pre-7.4 server) the driver makes sure that
parameter values are correctly quoted, so as long as you are correctly
using parameter placeholders at the JDBC level you shouldn't need to
worry about injection vulnerabilities there.

-O