Dave Watts wrote: >> That said, SQL Inject attacks /can/ be prevented by doing >> proper data cleaning for all queries that use values >> generated by outsiders (URL params, forms, etc.) I'm just >> saying that Oracle, DB2 and the others prefer to prevent >> things at the database level, rather than putting the >> security burden on the developer. > > Whether you can run multiple queries within a single SQL batch is generally > determined by the JDBC drivers (or other database clients) being used, not > by the database.
The JDBC standard prohibits multiple queries in one prepared statement and most drivers stick to that. If you don't use prepared statements, most drivers allow almost everything. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236924 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
