db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: Why projects fail... wuz... Re: unable to execute procedure
Date Wed, 05 Apr 2006 17:33:10 GMT
Michael Segel wrote:

> On Tuesday 04 April 2006 6:23 pm, Daniel John Debrunner wrote:
> 
>>Daniel John Debrunner wrote:
>>
>>>May I suggest that if you are writing samples for others to use that you
>>>demonstrate use of parameter markers in PreparedStatements. This will
>>>perfom better on Derby and all other relational database engines.
>>
>>Another reason to use PreparedStatements is to avoid all the security
>>concerns that come with SQL injection issues.
>>
> 
> [SNIP]
> 
> Uhm, I'm afraid this has nothing to do with the issue at hand, along with the 
> fact that its not exactly true....

Could you expand on what is "not exactly true"?

> While its never a good idea to accept SQL statements from a web interface, it 
> has nothing to do with the decision to use a Prepared Statement vs a regular 
> Statement. 

Any time you build the text of a SQL statement from user supplied values
you run the risk that a rogue parameter value could change the intended
behaviour of the SQL statement. This is simply not an issue with
PreparedStatements and parameter markers. That in my mind makes it a
factor in deciding what to use.

http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.php

Dan.


Mime
View raw message