Re: How to make getText() return the result in case sensitive ?
On Tue, 30 Sep 2008, Lew wrote:
Tom Anderson wrote:
I don't see how type safety has anything to do with it. It's the idea
of separating the text of the command and the text of the parameters
that does it. You could have exactly the same separation, and exactly
the same security, in a typeless language.
All right, but it remains that PreparedStatement isn't the only way to
reject SQL injection. Immunity against SQL injection is important, but
that does not require PreparedStatement, it's facilitated by
PreparedStatement.
Oh, i see what you mean. Yes, true.
Hang on, when you say 'type safety', what do you mean? Do you mean at the
java level, or preventing the client code sending an integer parameter
where a string is needed and things like that? I'd been assuming the
former, but i'm not sure i've understood right.
I rate protection against injection by mathematical expectation - not
only the fact that it happens, but the likelihood of occurrence makes
type safety more important. You always need type safety; SQL injection
attacks are rare by comparison.
If you mean java-level type safety, then this is manifestly untrue, since
there are highly successful typeless languages, which show that you never
need type safety. If you mean SQL-level type safety, then yes, you're
quite right.
tom
--
IMPORTANCE MEMO: >>> WHEN YOU BUY AN N-GAGE QD <<< PLEASE, please CONTINUE
TO TALK ON THE SIDE!!$ Note: the other party will not be able to hear you,
BUT WHO REALLY CRAPS A THING, SIDETALKIN' 2009++!!!