openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Bauer <techhu...@gmail.com>
Subject Re: Logging SQL parameters
Date Thu, 03 Jun 2010 16:24:07 GMT
I think we should err on the side of caution here as well, by disabling
parameter logging by default.

-Jeremy

On Thu, Jun 3, 2010 at 11:17 AM, Michael Dick <michael.d.dick@gmail.com>wrote:

> Hi all,
>
> Yesterday I opened
> OPENJPA-1678<http://issues.apache.org/jira/browse/OPENJPA-1678>to
> suppress SQL parameter logging in exceptions and trace. While making
> the
> SQL values visible is a great benefit when debugging, it can present a
> security issue in production (e.g. if the column is a social security
> number).
>
> To resolve the problem I've posted a couple of patches to the JIRA. They
> both boil down to adding a configuration option in openjpa.Log or
> openjpa.ConnectionFactoryProperties to enable/disable parameter printing.
>
> This brings up the question of what the default behavior should be.  With
> something like this I'd prefer to err on the side of caution and disable
> parameter logging by default. It'd be easy to not notice the parameter
> values while testing an application (or to be unconcerned with them since
> they're 'dummy data') - if you hit an error in production it's too late and
> the cat's out of the bag.
>
> Does anyone feel strongly about the correct default (either way)?
>
> -mike
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message