cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Puech <>
Subject Re : Problems with prepared statements
Date Wed, 06 Dec 2006 15:30:10 GMT
I don't want to receive this email anymore !!!
Thanks !

----- Message d'origine ----
De : Øyvind Harboe <>
À :
Envoyé le : Jeudi, 30 Novembre 2006, 11h35mn 35s
Objet : Re: Problems with prepared statements

On 11/29/06, Tore Halset <> wrote:
> On Nov 29, 2006, at 12:42 , Øyvind Harboe wrote:
> > So the MS Access adapter should contain a proxy jdbc driver that
> > "unprepares" statements?
> This is not related to cayenne at all, so it will be independant of
> the adapter.
> > I've never written a proxy jdbc driver nor have I unprepared
> > statements, but it sounds like fun. :-)
> You should know about all the bad things that can happen if you stop
> using prepared statements. Like security issues with sql injection.
> Create your own java.sql.Driver, Connection and PreparedStatement.
> Your Driver can handle jdbc urls like "myhack:jdbc:othervendor..".
> Your Connection wrap a underlying connection from the real database
> and forward all calls to that connection except for the calls that
> create PreparedStatements. Your PreparedStatement should wrap a
> standard Statement from the underlying jdbc driver. It should collect
> all parameters and convert the prepare sql sentence to a non-prepared
> sql sentence. You will get into lots of trouble with String escaping
> and so on... This is indeed the wrong path to follow.

Yuk! If I can't fix this in Cayenne, then I'll try to add some more
workarounds in the application.

At application my workaround is to use Expression.filterObjects()
instead of using a qualifier during the query if the query throws an

Øyvind Harboe


Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses

View raw message