| From: | Oliver Jowett <oliver(at)opencloud(dot)com> |
|---|---|
| To: | Tore Halset <halset(at)pvv(dot)ntnu(dot)no> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: prepared statements and sql injection |
| Date: | 2006-10-18 20:27:36 |
| Message-ID: | 45368E38.4090008@opencloud.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Tore Halset wrote:
> Without specifying a PrepareThreshold, are my sql statements
> "unprepared" in the jdbc driver before sent to the server? Or are they
> sent to the server as prepared statements? Does the PrepareThreshold
> control whether my statements are actually prepared or if the execution
> plan are cached?
When using the v3 protocol (7.4 servers and later) parameter values are
always sent out-of-line from the query. The prepare threshold controls
server-side statement reuse (i.e. caching of parse/plan results) only.
Even in cases where parameters are interpolated into the query string
(e.g. when talking to a pre-7.4 server) the driver makes sure that
parameter values are correctly quoted, so as long as you are correctly
using parameter placeholders at the JDBC level you shouldn't need to
worry about injection vulnerabilities there.
-O
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Cramer | 2006-10-19 22:44:36 | JDBC CTS failures |
| Previous Message | Tore Halset | 2006-10-18 19:15:03 | prepared statements and sql injection |