db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-3676) Make the toString() method of Derby PreparedStatements print out SQL text with ? parameters replaced by the values that have been set so far
Date Fri, 19 Aug 2011 18:00:30 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13087837#comment-13087837
] 

Kathey Marsden commented on DERBY-3676:
---------------------------------------

I think including the internal Derby  class names in the permission doesn't seem quite right
although I guess we would need to specify derby specifically vs other databases.

Since this would be diagnostic tool and really shouldn't be used or parsed in any production
environment, we could as you suggest always revert to the old output when running under security
manager and not even bother with adding a permission at this time.  If someone comes back
with a reason they have to have it under security manager, then we can talk about their scenario,
permission names and security at that time.

 Also this does seem specific to PreparedStatements as Statement would not have any sql text
or parameters directly associated with it.

I too think it is good to understand what the exact attack scenarios would be.   I am not
sure I really understand it with local PreparedStatement instances. DrvierManager.setLogWriter
 really needed protection because it is a public static method that is part of the Java API.
 



> Make the toString() method of Derby PreparedStatements print out SQL text with ? parameters
replaced by the values that have been set so far
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3676
>                 URL: https://issues.apache.org/jira/browse/DERBY-3676
>             Project: Derby
>          Issue Type: Improvement
>          Components: JDBC
>            Reporter: Rick Hillegas
>            Assignee: Siddharth Srivastava
>         Attachments: humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt,
humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt,
ick.txt, ick.txt, prepared.diff, statementCacheVTI.sql
>
>
> This topic came up in the following email thread on the user list: http://www.nabble.com/PreparedStatement.toString%28%29---nice-formatting-td17250811.html#a17250811
Here's what the thread requests: 
> "In mysql, a toString() on a PreparedStatement will do this, eg "select x
> from foo where x.a = ?" will become "select x from foo where x.a = 1" with
> the appropriate setValue() call."
> At first blush, this seems like it might be a simple project for a newcomer.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message