cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobias.Schoess...@unvienna.org
Subject Re: prepared statements
Date Wed, 18 Oct 2006 19:10:36 GMT
if I may assume "If you do not fix this, your application is doomed to utter and total failure
from day one." was refering to the possible danger of SQL code injection when not using prepared
statements but simple constructed SQL strings fired against ORACLE. 

Joshua Pyle <joshua.t.pyle@gmail.com> wrote:
the #bind and general templating you can do in SQL Template has come
in very handy for me.  And you are on the right path.

>From what I understand the binding gets done at a Velocity level and
JDBC PreparedStatement's get created.  I don't believe its DB
dependant.

Someone please correct me if I'm wrong.


-- 
Joshua T. Pyle
Go has always existed.

On 10/18/06, Bryan Lewis <bryan@maine.rr.com> wrote:
> I just wanted to confirm something with the group.  I've been using
> SQLTemplate for a few special-purpose things in our apps, mainly for
> quick counts or searches.  However, someone pointed out to me recently
> that it was bad to pass simple SQL strings to Oracle; I should be using
> bind variables instead, or in the Java idiom, creating
> PreparedStatements.  For example,
> http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:528893984337
> preaches, "If you do not fix this, your application is doomed to utter
> and total failure from day one."  I thought that was overstating the
> problem just a bit, seeing as how our apps have done well for a couple
> of years past day one, but okay, I'll heed the advice.
>
> It appears that this isn't hard to do with SQLTemplate, using the #bind
> directive.  I skimmed the Cayenne code and saw where it creates a
> PreparedStatement with the parameters.  Very cool.
>
> Assuming I'm on the right track so far... Will this work equally well on
> different databases?  Oracle and PostgreSQL are the only ones I really
> care about.  A google didn't turn up anything definitive about which
> databases accept bind variables, but maybe they use different terms.
>
> Thanks.
>
>
>

___
 sent via WebmailLight 3.1.11

Mime
View raw message