Re: How to make getText() return the result in case sensitive ?
Tom Anderson wrote:
I don't see how type safety has anything to do with it. It's the
idea of separating the text of the command and the text of the
parameters that does it. You could have exactly the same separation,
and exactly the same security, in a typeless language.
Lew wrote:
All right, but it remains that PreparedStatement isn't the only way
to reject SQL injection. Immunity against SQL injection is
important, but that does not require PreparedStatement, it's
facilitated by PreparedStatement.
Tom Anderson wrote:
Oh, i [sic] see what you mean. Yes, true.
Hang on, when you say 'type safety', what do you mean? Do you mean at
the java level, or preventing the client code sending an integer
parameter where a string is needed and things like that? I'd been
assuming the former, but i'm not sure i've understood right.
I meant the latter. The whole prepared statement mechanism, supported by
PreparedStatement, is about type safety from the database point of view. It's
not exactly type safety Java-style, in the sense that it's supported at run
time rather than compile time, but it's still type safety. It is this
"database type safety" that makes the SQL injection protection automatic.
There's no way a "?" parameter can be confused with the SQL command itself in
a prepared statement, or a PreparedStatement.
Furthermore, i wonder if you could use generics to unite the two.
I really like this idea. Your outline is a really good start.
... something like: ... (really good ideas here)
....
My head hurts.
Yah. Good start, though. Take two aspirin and keep going.
--
Lew
"Aspirin" was originally a brand name, but in the U.S. has become the common name.