Re: [JDBC] Prepared statement performance...

Peter Kovacs <peter.kovacs@sysdata.siemens.hu>

From: "Peter Kovacs" <peter.kovacs@sysdata.siemens.hu>
To: "Curt Sampson" <cjs@cynic.net>, "Barry Lind" <barry@xythos.com>
Cc: "Dmitry Tkach" <dmitry@openratings.com>, <pgsql-general@postgresql.org>, <pgsql-jdbc@postgresql.org>
Date: 2002-10-14T07:30:41Z
Lists: pgsql-general
> > The uses of the Statement object and PreparedStatement object do not
> > IMHO have anything to do with you many times you use them.  They have to
> > do with how you supply values in the sql statement.  If you use just the
> > Statement object you are required to know the postgres date format in
> > order to include a date value, where it is much easier (and more
> > portable across databases) to just use a PreparedStatement, a ?, and a
> > setDate() call.
>
> I agree entirely. Even more importantly, it's much, much more difficult
> to write a secure application (one not subject to SQL injection attacks)
> if you are forced to quote data yourself. The driver already knows how
> to deal with any string you pass to it; why would you want to re-write
> that code, possibily introducing errors into it? (For those not familiar
> with SQL injection attacks, I'm referring to the situation where someone
> types, say, "foo'; DROP TABLE bar;" into the "Name" field on your web
> form, or whatever.)
>

I do not clearly understand what the problem is with someone typing in
"foo'; DROP TABLE bar;" into the "Name" field on your web form.