On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote:
> Thanks for all the information!
> 
> One last question with regards to ORMs that use prepared statements...
> 
> Would the safety, or lack thereof, of these prepared statements be
> dependant on the JDBC driver impementation?

Not unless they are completely broken and violate the
PreparedStatement implementation contract. This would mean that
binding a String containing some escape char like single quote would
break a SQL query - even the worst drivers I have seen implemented
this correctly :)

btw, for an external authority on "why/how to use PreparedStatement" see:

http://www.devx.com/security/Article/20678/0/page/2
http://en.wikipedia.org/wiki/SQL_injection

regards,
  viktor

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to