<font size="-1"><font face="Helvetica, Arial, sans-serif">Thanks Maciek for your advice which I will pass back to our
Javadevelopers. We are using a combination of Torque and Hibernate to access the database via jdbc. I think Hibernate
passesparameters as you suggest but Torque doesn't. We are slowly moving away from Torque to Hibernate.<br /><br /> Do
youknow if there is any documentation on the "unnamed variant" of prepared statements? I've read the pages on PREPARE
andEXECUTE but they don't go into much depth about what happens in the background.<br /><br /> Alex Stanier.<br /><br
/></font></font><divclass="moz-cite-prefix">On 13/09/2012 21:12, Maciek Sakrejda wrote:<br /></div><blockquote
cite="mid:CAOtHd0Df2_L=k+OxpWgNXso2w298V=D1GY7RDfwczTta=WjaJg@mail.gmail.com"type="cite"><pre wrap="">To clarify, when
prepareThresholdis set to zero, the driver still
uses prepared statements, but it uses only the unnamed variant, which
should effectively have no overhead compared to inlining parameters.
The separate log messages are due to this change.
Safely passing in parameters is an important reason to use prepared
statements (perhaps more so than performance), so as to protect
against SQL injection. For what it's worth, based on the logs, it
looks like you're not doing that; you should seriously consider making
that change, especially if data like user names is coming externally.
This email has been scanned for viruses by Blackspider's Mail Control System.
For more information please visit <a class="moz-txt-link-freetext"
href="http://www.blackspider.com">http://www.blackspider.com</a>
</pre></blockquote><br /><br /><br /><p align="center"><font style="BACKGROUND-COLOR: #ffffff">This message has been
scannedfor malware by SurfControl plc. </font><a href="http://www.surfcontrol.com/"><font color="#000000"
style="BACKGROUND-COLOR:#ffffff">www.surfcontrol.com</font></a>