2007/11/15, Mike Duffy <[EMAIL PROTECTED]>: > Prepared statements if created correctly will work, but if your statements > are created dynamically with text strings as the values instead of "?" > placeholders problems can occur.
I wonder why do you create query strings this way: you can always create a query dinamically, with a variable number of parameters. In the PDF you sent, there is this sentence: <snip> SQL Statements using bind variables are generally immune to SQL Injection attacks as the Oracle database will use the value of the bind variable exclusively and not interpret the contents of the variable in any way. PL/SQL and JDBC allow for bind variables. Bind variables should be extensively used for both security and performance reasons. </snip> I think you have no excuse :-) Antonio --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
