db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: unable to execute procedure
Date Tue, 04 Apr 2006 23:23:02 GMT
Daniel John Debrunner wrote:


> May I suggest that if you are writing samples for others to use that you
> demonstrate use of parameter markers in PreparedStatements. This will
> perfom better on Derby and all other relational database engines.

Another reason to use PreparedStatements is to avoid all the security
concerns that come with SQL injection issues.

Creating the text of the SQL statement like this:

"select TOTAL_TAKEN
from DTP.LEAVE_APPROV where EMPLOYEE_ID=" + employee + " and
LEAVE_TYPE_ID=" + leaveTypeId

allows the parameters to modify the meaning of the SQL statement. This
approach has caused many security holes in PHP programs. E.g. pass in a
user name that ends with the '--' comment lead in, leads to the
statement being:

select TOTAL_TAKEN
from DTP.LEAVE_APPROV where EMPLOYEE_ID=fred -- and LEAVE_TYPE_ID=" +
leaveTypeId

Not what the application developer intended.


Using PreparedStatements and parameter markers means the SQL statement
cannot be modified by user supplied values. A much safer approach.

Yes, one can try and be careful and verify all incoming data etc. etc.,
but using PreparedStatements is a much simpler approach.

Dan.
PS. Using PreparedStatements here would also have not lead to the buig
in the orginal statement, not there are no quotes around the passed in
employee string.





Mime
View raw message