>> I'm with Hans on this one. Any examples of a JDBC driver where PreparedStatement doesn't behave like that? <<
I also agree with Hans. If you use PreparedStatement and setString(), or do the escaping yourself, there is NO loophole... at least not with any reasonably well-written JDBC driver. To think that the escaping would be done incorrectly would be an unbelievably egregious security hole, as this discussion has pointed out. I'd also argue that with that being the case, doing a pre-authorization outside the database is no more secure, and in fact just introduces unnecessary complexity. =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
