TIP: Click on subject to list as thread! ANSI
echo: rberrypi
to: ALL
from: MARTIN GREGORIE
date: 2020-09-12 17:54:00
subject: Re: Pi Hardware
On Sat, 12 Sep 2020 17:31:37 +0200, Björn Lundin wrote:

> Den 2020-09-12 kl. 13:35, skrev Martin Gregorie:
>> Is that the same as a prepared statement, as used by JDBC or (IIRC)
>> ODBC interface modules? Prepared statements are designed specifically
>> to protect your database against injection attacks
>
> I don't think so. Prepared statement has been around longer than the
> web-form. Prepared statements are used if you don't want the database to
> create a new execution path every time you execute a statement where
> only the parameters are changed. For at least Oracle, it is a way to
> keep the statement in the SGA cache. It is all about performance.
> That it is safer for webforms may be good - but not the reason it exists
>
> 
> "PREPARE creates a prepared statement. A prepared statement is a
> server-side object that can be used to optimize performance."
>
>
> When I started coding professionally I learned that PREPARE is the way
> to go - no concatenating strings to a statement. This was in 1997.
> The code base suggest that Sql.Prepare in our sql module had been around
> for many years already then.
>
>
>
>> If your DBMS supports database procedures, using them is also a good
>> way to avoid injection attacks.
>
> And then you have a hard time to switch database.
> Keep business logic in code and traceability in triggers.
> At least I find that to be a sound principle.

Agreed: I've never used it with a modern DB - I remember using the DEC
equivalent, which I seem the remember as about to only way you could
interface the DEC RDBMS from COBOL on a VAX, on the only VAX-based
project I ever worked on. I may also have used the odd database procedure
with Postgres 9 on the small NCR Unix boxes we used to to host ATM
networks, but don't really remember because I did far more work on the
network side of those (X.25, not TCP/IP!).

But, when all you had was a choice between assembling SQL statements with
sprintf() statements or using database procedures then you used the
latter if hackery was a possibility.

IIRC the early ODBC modules didn't support prepared statements, but I
might be wrong about that.


--
Martin    | martin at
Gregorie  | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.