> Not everyone uses $$$ DBs. We, the lowest common denominator, get offended > when not taken care of... :-)
Ilya, you might be oblivious of the presence of PL/SQL (sort of) in PostgreSQL... Best regards, Luca Morandini Istituto Poligrafico e Zecca dello Stato [EMAIL PROTECTED] [EMAIL PROTECTED] > -----Messaggio originale----- > Da: Ilya A. Kriveshko [mailto:ilya@;kaon.com] > Inviato: martedì 5 novembre 2002 16.05 > A: [EMAIL PROTECTED] > Oggetto: Re: R: A case of SQL injection > > > Luca Morandini wrote: > > >Torsten, > > > >call me boring, but, wouldn't it be better using stored procedures over > >dynamic SQL ? > > > <quote from="MySQL Documentation"> > Our aim is to have stored procedures implemented in MySQL Server > around version 5.0. > </quote> > > Not everyone uses $$$ DBs. We, the lowest common denominator, get offended > when not taken care of... :-) > > As far as DB exploits go, IMO, prepared statements are the simplest and > the most > reliable way to ensure security agains SQL injection. I think it should > be a rule that > no piece of data ever gets cocatenated into an SQL query. > Using PreparedStatement.set<Type>() should be the only accepted way to > do that. > The only strings that can be concatenated into a dynamic SQL query should > be SQL fragments that are declared locally in the source code. Anything > short of > that would never pass a peer code review 'round these parts. > -- > Ilya > > > > >It offers: SoC, code re-use, security, performance... > > > >Best regards, > > > >Luca Morandini > >[EMAIL PROTECTED] > > > > > > We are protected from the virus by Norton Antivirus > Corporate Edition > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, email: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, email: [EMAIL PROTECTED] > > We are protected from the virus by Norton Antivirus Corporate Edition --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
