[ https://issues.apache.org/jira/browse/DERBY-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13087837#comment-13087837 ]
Kathey Marsden commented on DERBY-3676: --------------------------------------- I think including the internal Derby class names in the permission doesn't seem quite right although I guess we would need to specify derby specifically vs other databases. Since this would be diagnostic tool and really shouldn't be used or parsed in any production environment, we could as you suggest always revert to the old output when running under security manager and not even bother with adding a permission at this time. If someone comes back with a reason they have to have it under security manager, then we can talk about their scenario, permission names and security at that time. Also this does seem specific to PreparedStatements as Statement would not have any sql text or parameters directly associated with it. I too think it is good to understand what the exact attack scenarios would be. I am not sure I really understand it with local PreparedStatement instances. DrvierManager.setLogWriter really needed protection because it is a public static method that is part of the Java API. > Make the toString() method of Derby PreparedStatements print out SQL text > with ? parameters replaced by the values that have been set so far > -------------------------------------------------------------------------------------------------------------------------------------------- > > Key: DERBY-3676 > URL: https://issues.apache.org/jira/browse/DERBY-3676 > Project: Derby > Issue Type: Improvement > Components: JDBC > Reporter: Rick Hillegas > Assignee: Siddharth Srivastava > Attachments: humanstringprepared.txt, humanstringprepared.txt, > humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt, > humanstringprepared.txt, humanstringprepared.txt, ick.txt, ick.txt, > prepared.diff, statementCacheVTI.sql > > > This topic came up in the following email thread on the user list: > http://www.nabble.com/PreparedStatement.toString%28%29---nice-formatting-td17250811.html#a17250811 > Here's what the thread requests: > "In mysql, a toString() on a PreparedStatement will do this, eg "select x > from foo where x.a = ?" will become "select x from foo where x.a = 1" with > the appropriate setValue() call." > At first blush, this seems like it might be a simple project for a newcomer. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira