Re: prepared statements

From: Tobias.Schoessle..nvienna.org
Date: Wed Oct 18 2006 - 15:10:36 EDT

  • Next message: Rashid Khan: "Cayenne not taking account of PKs created by external SQL script"

    if I may assume "If you do not fix this, your application is doomed to utter and total failure from day one." was refering to the possible danger of SQL code injection when not using prepared statements but simple constructed SQL strings fired against ORACLE.

    Joshua Pyle <joshua.t.pyl..mail.com> wrote:
    the #bind and general templating you can do in SQL Template has come
    in very handy for me. And you are on the right path.

    From what I understand the binding gets done at a Velocity level and
    JDBC PreparedStatement's get created. I don't believe its DB
    dependant.

    Someone please correct me if I'm wrong.

    -- 
    Joshua T. Pyle
    Go has always existed.
    

    On 10/18/06, Bryan Lewis <brya..aine.rr.com> wrote: > I just wanted to confirm something with the group. I've been using > SQLTemplate for a few special-purpose things in our apps, mainly for > quick counts or searches. However, someone pointed out to me recently > that it was bad to pass simple SQL strings to Oracle; I should be using > bind variables instead, or in the Java idiom, creating > PreparedStatements. For example, > http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:528893984337 > preaches, "If you do not fix this, your application is doomed to utter > and total failure from day one." I thought that was overstating the > problem just a bit, seeing as how our apps have done well for a couple > of years past day one, but okay, I'll heed the advice. > > It appears that this isn't hard to do with SQLTemplate, using the #bind > directive. I skimmed the Cayenne code and saw where it creates a > PreparedStatement with the parameters. Very cool. > > Assuming I'm on the right track so far... Will this work equally well on > different databases? Oracle and PostgreSQL are the only ones I really > care about. A google didn't turn up anything definitive about which > databases accept bind variables, but maybe they use different terms. > > Thanks. > > >

    ___ sent via WebmailLight 3.1.11



    This archive was generated by hypermail 2.0.0 : Wed Oct 18 2006 - 15:11:04 EDT