[email protected] ha scritto: > Some thoughts from my side. > > 1) Using a regexp to avoid sql injection is a nice idea. But I think > most developers are not familiar with regexps and thus, the regexp > mostly used will be ".*" opening the door for all kind of sql injection > attacks. Why not use prepared (callable) statements ?.
Because the user sponsoring this requires to change parts of the query, not just values. So prepared statements are useless, there is no funding for that approach. If the PSC feels strongly against pure substitution + regexp (like MapServer does) please let me know soon as I'll have to go back to the customer and state the PSC rejected the proposal (and look for alternative paths, like making a private fork of GeoTools for them). > Another problem I see is that the concept invites the user distributing > sql fragments to different places making it hard to debug and/or alter > the db design. I think it is better to have the sql stuff concentrated > in few places in the code. > > 2) Passing the params in the environment. Again a nice idea, but hard to > debug. Personally I feel better seeing the parameter handling in the > code associated with the query object. The EnvFunction is some "magic", > setting values at one place and using it at another place. > EnvFunction.clearLocalValues is another danger if it is not called at > the right time and my cause some nasty side effect. I think it's easier for the user to have a single param replacement mechanism, but I can also go for this. A map contained in a query hint would be better? It makes no sense to roll new Query methods as this would be JDBC store specific. So I guess this one can be put to votes. Which approach do people prefer? Cheers Andrea -- Andrea Aime OpenGeo - http://opengeo.org Expert service straight from the developers. ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Geotools-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geotools-devel
