Re: [JDBC] Prepared statement performance...
От | Peter Kovacs |
---|---|
Тема | Re: [JDBC] Prepared statement performance... |
Дата | |
Msg-id | 00fe01c27353$9d67caa0$55550a8b@ACER обсуждение исходный текст |
Ответ на | Re: [JDBC] Prepared statement performance... (Curt Sampson <cjs@cynic.net>) |
Список | pgsql-general |
> > The uses of the Statement object and PreparedStatement object do not > > IMHO have anything to do with you many times you use them. They have to > > do with how you supply values in the sql statement. If you use just the > > Statement object you are required to know the postgres date format in > > order to include a date value, where it is much easier (and more > > portable across databases) to just use a PreparedStatement, a ?, and a > > setDate() call. > > I agree entirely. Even more importantly, it's much, much more difficult > to write a secure application (one not subject to SQL injection attacks) > if you are forced to quote data yourself. The driver already knows how > to deal with any string you pass to it; why would you want to re-write > that code, possibily introducing errors into it? (For those not familiar > with SQL injection attacks, I'm referring to the situation where someone > types, say, "foo'; DROP TABLE bar;" into the "Name" field on your web > form, or whatever.) > I do not clearly understand what the problem is with someone typing in "foo'; DROP TABLE bar;" into the "Name" field on your web form.
В списке pgsql-general по дате отправления: