But why parameterized queries are considered to be safe? Does this method just escape special characters? Or is there another security mechanism behind the function?
jRDC2 can work with any database that provides a JDBC driver. All popular databases are supported.
It is much more powerful than the PHP based solution and it has excellent performance. It is also safer as the SQL commands are set in the server side.
Honestly, I don't know a solution where the SQL commands are not set on the server side . I guess, nobody would ever send whole SQL query to a server ...
Another way of looking at it, it separates code from data in such a way that data cannot be interpreted as code. And that is a very good thing in this case (SQL).
jRDC2 can work with any database that provides a JDBC driver. All popular databases are supported.
It is much more powerful than the PHP based solution and it has excellent performance. It is also safer as the SQL commands are set in the server side.
Wrong, LucasM. Look at the code of jRDC2. The string in the config properties becomes the SQL Statement portion and what you are passing becomes the parameter that will be escaped by the method used by the server (a parameterized query).
Hummm, was it tried? At this point, seems not.
I don't know enough about this - just it seems illogical to me. The ? is expecting one param - not a string of params...
It is escaped. Period. It’s a single parameter, that never becomes two. In this case the query would look for a customer who’s id is “1; DROP TABLE Customer”. Most likely, there is no such customer, so an empty result set will be returned and the customer table has not been harmed.
Not so, it is good to raise such questions - otherwise we sit here wondering without knowing what is TRUE and what is FALSE.
Thank @OliverA for setting this straight...