Michael Segel wrote: > On Tuesday 04 April 2006 6:23 pm, Daniel John Debrunner wrote: > >>Daniel John Debrunner wrote: >> >>>May I suggest that if you are writing samples for others to use that you >>>demonstrate use of parameter markers in PreparedStatements. This will >>>perfom better on Derby and all other relational database engines. >> >>Another reason to use PreparedStatements is to avoid all the security >>concerns that come with SQL injection issues. >> > > [SNIP] > > Uhm, I'm afraid this has nothing to do with the issue at hand, along with the > fact that its not exactly true....
Could you expand on what is "not exactly true"? > While its never a good idea to accept SQL statements from a web interface, it > has nothing to do with the decision to use a Prepared Statement vs a regular > Statement. Any time you build the text of a SQL statement from user supplied values you run the risk that a rogue parameter value could change the intended behaviour of the SQL statement. This is simply not an issue with PreparedStatements and parameter markers. That in my mind makes it a factor in deciding what to use. http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.php Dan.
