On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote: > Thanks for all the information! > > One last question with regards to ORMs that use prepared statements... > > Would the safety, or lack thereof, of these prepared statements be > dependant on the JDBC driver impementation?
Not unless they are completely broken and violate the PreparedStatement implementation contract. This would mean that binding a String containing some escape char like single quote would break a SQL query - even the worst drivers I have seen implemented this correctly :) btw, for an external authority on "why/how to use PreparedStatement" see: http://www.devx.com/security/Article/20678/0/page/2 http://en.wikipedia.org/wiki/SQL_injection regards, viktor --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
