Prepared statements are "safer" because they reduce (essentially
prevent) the inclusion of raw SQL.

All they can do is set a value of an expected SQL variable. On top of
this Java can be used to make sure that you're passing in the proper
type of business logic data.

Mark 



On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote:
> Cool. Is there a reference somewhere that describes why prepared
> statements are safe?
> 
> Not that I don't trust you all, but the info isn't for me and I will
> have no credibility without a link or something I can pass along.
> 
> Thanks!
> 
> Geoff
> 
> On 8/8/05, Viktor Szathmary <[EMAIL PROTECTED]> wrote:
> > hi,
> >
> > On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote:
> > > Has anyone out there given any serious thought towards a strategy for
> > > preventing these kinds of attacks in Tapestry forms?
> >
> > using PreparedStatements with bound variables is a good enough
> > solution for SQL insertion (plus throw in the usual basic data
> > validation for good measure).
> >
> > regards,
> >   viktor
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> 
> 
> --
> The Spindle guy.           http://spindle.sf.net
> Get help with Spindle:
> http://lists.sourceforge.net/mailman/listinfo/spindle-user
> Announcement Feed:
> http://www.jroller.com/rss/glongman?catname=/Announcements
> Feature Updates:            http://spindle.sf.net/updates
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to