| From: | Tore Halset <halset(at)pvv(dot)ntnu(dot)no> |
|---|---|
| To: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | prepared statements and sql injection |
| Date: | 2006-10-18 19:15:03 |
| Message-ID: | 27E3C862-C1A8-4063-8F34-819A4C4F786F@pvv.ntnu.no |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Hello.
Sorry for asking this newbie-question, but reading the following web
page made me get a bit paranoid..
http://jdbc.postgresql.org/documentation/81/server-prepare.html
I am a bit concerned about "There are a number of ways to enable
server side prepared statements depending on your application's
needs". I am using prepared statements to be sure that my application
are not vulnerable to sql injection attacks, but I do not specify a
"prepare threshold". Should I?
Without specifying a PrepareThreshold, are my sql statements
"unprepared" in the jdbc driver before sent to the server? Or are
they sent to the server as prepared statements? Does the
PrepareThreshold control whether my statements are actually prepared
or if the execution plan are cached?
- Tore.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Jowett | 2006-10-18 20:27:36 | Re: prepared statements and sql injection |
| Previous Message | Guillaume Cottenceau | 2006-10-18 11:30:22 | Re: IO error while sending to backend |