On Sep 6, 2005, at 11:10 AM, Roman Rokytskyy wrote:

>> Thank you for the explanation! So it seems that the database engine is
>> 'responsible' for the unavailability of that feature, not the driver.
>
> You can state it that way, but in fact the database is 'responsible'
> for
> supporting prepared statements which are used to increase the spead of
> the
> applications.
>
>> It's not unwillingness. I simply thought that I can spare an extra
>> method for the prepared statements, as it would be largely of the same
>> kind as the existent one, but it seems that I definitely need such.
>
> That is wrong approach. If you want to use prepared statements, handle
> them
> separately as they were designed to. If you want to execute just
> strings,
> nobody prevents you from doing it - use java.sql.Statement. It is
> conceptually wrong to use prepared statement only to convert question
> marks
> into string representation of the parameters - it is much more easier
> to
> construct the right string in the application already.

Not only conceptually wrong, an incredibly bad idea from a security
standpoint. You should NEVER use unprepared statements with anything
resembling user supplied input included as it opens your program to all
sorts of sql injection attacks. At the very least, malicious users
will be provided with an easy way to crash your database server, if not
take over the entire server.

I recommend you use only prepared statements, even for static sql.

david jencks

>
> Roman
>
>
>
>
>
> Yahoo! Groups Links
>
>
>
>
>
>