PreparedStatement or straight JDBC

Discussions

General J2EE: PreparedStatement or straight JDBC

  1. PreparedStatement or straight JDBC (8 messages)

    i think that prepared statements are only relevant when doing repeated operations. i see no advantage to prepared statements when you are only doing a single query or insert. any comments out there?
  2. What do you mean by "straight JDBC"? Building a query string? This can be a security risk.

    For example...

    String name = request.getAttribute("name");
    String password = request.getAttribute("password");
    String query = "Select * from user_table where name= '" + name + "' and password = '" + password + "'";

    What will happen if I input "x' or 1=1 --" as my name and "xx" as my password ??
    This means
    String name = "x' or 1=1 --" ;
    String password = "xx";

    and the query would be

    Select * from user_table where name='x' or 1=1 --' and password='xx'
    Notice how the 1=1 condition was inserted and rest of the code commented off. Now this query is going to return me all the rows in the database The above code and will print the message "User Present".Further on , if you attempt to take the user details ,i.e. you do
    ResultSet rs = stmt.execute(query);
    if(rs.next()){
             String userAddress = rs.getString(2);
              String creditCardNumber = rs.getString(3);
    }
    you will actually get the details of the very first record in the table. The cracker can go ahead now as a valid user of the system.
  3. good point.
  4. What about backslashing all the "dangerous" symbols in the query attributes?

    This is one of the most popular solutions.

    Alex.
  5. Just use Prepared Statements to avoid the risk.
  6. prepared statemnets provide a type-safe interface...
    you don't worry abut the format of the dat, you don't care about the special characters in the strings... etc... I think this is a valuable quality.

    Secondly... using prepared statements opens doors to declarative behaviour.... you can have the statements placed in a configuration file and read them during the initialization process.... thus if minor changes need to be made to the query... change in table name... specifying the schema etc... you don't need to code'n compile again
  7. Most of the replies you have are down a blind alley

    You are correct in your statement.

    If a statement will only ever be executed once in the "existence" of a bean then it would be just as effective to execute it directly by including the string variable in the Execute statement.

    But remember that the actual Bean "shell" may be pooled and re-used by the container. So the statement may only be executed once in one method or in the life of one bean "instance" however the bean "shell"'s initialisation acllbacks may cover its serial use by many difefrent instances. So parameterisation and Preparation of the statement may be effective if the statement is frequently used due to concurrency at highload.

    Moore
  8. Wow. You're a SUPER genius.
  9. i'll second jeff's opinion :-D