Luca Morandini wrote:
<quote from="MySQL Documentation">Torsten,call me boring, but, wouldn't it be better using stored procedures over dynamic SQL ?
Our aim is to have stored procedures implemented in MySQL Server around version 5.0.
</quote>
Not everyone uses $$$ DBs. We, the lowest common denominator, get offended
when not taken care of... :-)
As far as DB exploits go, IMO, prepared statements are the simplest and the most
reliable way to ensure security agains SQL injection. I think it should be a rule that
no piece of data ever gets cocatenated into an SQL query.
Using PreparedStatement.set<Type>() should be the only accepted way to do that.
The only strings that can be concatenated into a dynamic SQL query should
be SQL fragments that are declared locally in the source code. Anything short of
that would never pass a peer code review 'round these parts.
--
Ilya
It offers: SoC, code re-use, security, performance...
Best regards,
Luca Morandini
[EMAIL PROTECTED]
We are protected from the virus by Norton Antivirus Corporate Edition
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
