openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Bauer <>
Subject Re: Logging SQL parameters
Date Thu, 03 Jun 2010 16:24:07 GMT
I think we should err on the side of caution here as well, by disabling
parameter logging by default.


On Thu, Jun 3, 2010 at 11:17 AM, Michael Dick <>wrote:

> Hi all,
> Yesterday I opened
> OPENJPA-1678<>to
> suppress SQL parameter logging in exceptions and trace. While making
> the
> SQL values visible is a great benefit when debugging, it can present a
> security issue in production (e.g. if the column is a social security
> number).
> To resolve the problem I've posted a couple of patches to the JIRA. They
> both boil down to adding a configuration option in openjpa.Log or
> openjpa.ConnectionFactoryProperties to enable/disable parameter printing.
> This brings up the question of what the default behavior should be.  With
> something like this I'd prefer to err on the side of caution and disable
> parameter logging by default. It'd be easy to not notice the parameter
> values while testing an application (or to be unconcerned with them since
> they're 'dummy data') - if you hit an error in production it's too late and
> the cat's out of the bag.
> Does anyone feel strongly about the correct default (either way)?
> -mike

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message