Prepared statements are "safer" because they reduce (essentially prevent) the inclusion of raw SQL.
All they can do is set a value of an expected SQL variable. On top of this Java can be used to make sure that you're passing in the proper type of business logic data. Mark On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote: > Cool. Is there a reference somewhere that describes why prepared > statements are safe? > > Not that I don't trust you all, but the info isn't for me and I will > have no credibility without a link or something I can pass along. > > Thanks! > > Geoff > > On 8/8/05, Viktor Szathmary <[EMAIL PROTECTED]> wrote: > > hi, > > > > On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote: > > > Has anyone out there given any serious thought towards a strategy for > > > preventing these kinds of attacks in Tapestry forms? > > > > using PreparedStatements with bound variables is a good enough > > solution for SQL insertion (plus throw in the usual basic data > > validation for good measure). > > > > regards, > > viktor > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > The Spindle guy. http://spindle.sf.net > Get help with Spindle: > http://lists.sourceforge.net/mailman/listinfo/spindle-user > Announcement Feed: > http://www.jroller.com/rss/glongman?catname=/Announcements > Feature Updates: http://spindle.sf.net/updates > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
