> My main point is that performance generally isn't that much an issue in
> server side web development.
I cant believe this !!! . In out project we are trying hard to increase
throughput and response time/performance. These small-2 points add and
later create problems.
> e.g. the difference between using Connection pooling or not is in the
order
> of 100 - 300 ms. In that case, it does matter.
Ok I agree
> Security: I already said that it was my favorite trick to break into asp
> sites (these generally don't use PreparedStatements. I don't know if such
a
> thing exists in asp)
> image your login check as:
> String userName = request.getParameter("userName");
> String passWord = ....
> ResultSet rs = stmt.executeQuery("select userName, status from login where
> userName = '"+userName+"' and password = '"+password+"'");
>
> Now, I can login by using userName/password
> test / test' or '1'='1
>
> Believe me. It works. I've seen them doing it, man ;-)
I am not including such poorly developed site.
> - Stability and correctness:
> Think about a last name lookup HTML form and I type in
> O'Connor
??
> I also think PreparedStatements are cleaner code. Think about the parallel
> with a method name and the arguments. You're not creating several methods
> that do the same thing (apart from the arguments).
I also agree . Specially if a query takes 10-15 parameters , I would prefer
Prepared statement. However for executing very smal queries like "Select *"
etc , I dont think it will give me any benefit.
I am again saying that use of prepared statements should be done thought
fully instead of considering it as "default" for executing the queries.
Regds
Ashwani
----- Original Message -----
From: "Geert Van Damme" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 03, 2002 4:29 PM
Subject: Re: PreparedStatement vs Statement
> The difference between Statement and PreparedStatement is in the order of
> nanoseconds. I'm sure it's less than 1 ms on normal hardware.
> That means it would take > 1000 requests to increase the processor time
with
> 1 second. I'd say that this is cheap ;-) I'm not saying performance
doesn't
> matter at all.
> e.g. the difference between using Connection pooling or not is in the
order
> of 100 - 300 ms. In that case, it does matter.
>
> To answer your question:
>
> - Security: I already said that it was my favorite trick to break into asp
> sites (these generally don't use PreparedStatements. I don't know if such
a
> thing exists in asp)
> image your login check as:
> String userName = request.getParameter("userName");
> String passWord = ....
> ResultSet rs = stmt.executeQuery("select userName, status from login where
> userName = '"+userName+"' and password = '"+password+"'");
>
> Now, I can login by using userName/password
> test / test' or '1'='1
>
> Believe me. It works. I've seen them doing it, man ;-)
>
> - Stability and correctness:
> Think about a last name lookup HTML form and I type in
> O'Connor
>
>
>
>
> Geert Van Damme
>
>
> I also think PreparedStatements are cleaner code. Think about the parallel
> with a method name and the arguments. You're not creating several methods
> that do the same thing (apart from the arguments).
>
> Geert Van Damme
>
>
> > -----Original Message-----
> > From: A mailing list about Java Server Pages specification and reference
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Ashwani Kalra
> > Sent: vrijdag 3 mei 2002 12:34
> > To: [EMAIL PROTECTED]
> > Subject: Re: PreparedStatement vs Statement
> >
> >
> > Can you explain these four points in terms of
> > statements/preparedstatements
> > specially security ,stability , correctness ?
> >
> > Ashwani
> >
> >
> > ----- Original Message -----
> > From: "Geert Van Damme" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, May 03, 2002 3:42 PM
> > Subject: Re: PreparedStatement vs Statement
> >
> >
> > > > Performance will ofcourse play the major role in selecting
> > > > between the two.
> > > >
> > >
> > >
> > > I seriously doubt that.
> > >
> > > - Correctness
> > > - Stability
> > > - Security
> > > - Maintainability
> > >
> > > Are IMO all much more crucial than raw speed.
> > >
> > > Geert Van Damme
> > >
> > >
> > ==================================================================
> > =========
> > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > JSP-INTEREST".
> > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> > DIGEST".
> > > Some relevant FAQs on JSP/Servlets can be found at:
> > >
> > > http://archives.java.sun.com/jsp-interest.html
> > > http://java.sun.com/products/jsp/faq.html
> > > http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > > http://www.jguru.com/faq/index.jsp
> > > http://www.jspinsider.com
> > >
> >
> > ==================================================================
> > =========
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > JSP-INTEREST".
> > For digest: mailto [EMAIL PROTECTED] with body: "set
> > JSP-INTEREST DIGEST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://archives.java.sun.com/jsp-interest.html
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > http://www.jguru.com/faq/index.jsp
> > http://www.jspinsider.com
> >
>
>
===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
