Re: [JDBC] Prepared statement performance...
Peter Kovacs <peter.kovacs@sysdata.siemens.hu>
From: "Peter Kovacs" <peter.kovacs@sysdata.siemens.hu>
To: "Curt Sampson" <cjs@cynic.net>, "Barry Lind" <barry@xythos.com>
Cc: "Dmitry Tkach" <dmitry@openratings.com>, <pgsql-general@postgresql.org>, <pgsql-jdbc@postgresql.org>
Date: 2002-10-14T07:30:41Z
Lists: pgsql-general
> > The uses of the Statement object and PreparedStatement object do not > > IMHO have anything to do with you many times you use them. They have to > > do with how you supply values in the sql statement. If you use just the > > Statement object you are required to know the postgres date format in > > order to include a date value, where it is much easier (and more > > portable across databases) to just use a PreparedStatement, a ?, and a > > setDate() call. > > I agree entirely. Even more importantly, it's much, much more difficult > to write a secure application (one not subject to SQL injection attacks) > if you are forced to quote data yourself. The driver already knows how > to deal with any string you pass to it; why would you want to re-write > that code, possibily introducing errors into it? (For those not familiar > with SQL injection attacks, I'm referring to the situation where someone > types, say, "foo'; DROP TABLE bar;" into the "Name" field on your web > form, or whatever.) > I do not clearly understand what the problem is with someone typing in "foo'; DROP TABLE bar;" into the "Name" field on your web form.