tag:blogger.com,1999:blog-3842354435184362707.post7967141416446028666..comments2024-03-12T23:02:33.542-07:00Comments on IBM WCS - IBM WebSphere Commerce Blog: ServerJDBCHelperAccessBean, should you or should you not ?Raj Sanghvihttp://www.blogger.com/profile/14307025096445781606noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-3842354435184362707.post-84148668527565904982016-09-25T08:28:08.509-07:002016-09-25T08:28:08.509-07:00as of 2016, if I use ServerJDBCHelperAccessBean to...as of 2016, if I use ServerJDBCHelperAccessBean to execute an SQL Query with concatenated parameters (so not a parametrized query, because no "?" placeholder), it will prepare the statement but not protect against SQL injection. Right ?makhttps://www.blogger.com/profile/06716139407446306697noreply@blogger.comtag:blogger.com,1999:blog-3842354435184362707.post-64629167146631578932016-09-25T08:27:45.966-07:002016-09-25T08:27:45.966-07:00as of 2016, if I use ServerJDBCHelperAccessBean to...as of 2016, if I use ServerJDBCHelperAccessBean to execute an SQL Query with concatenated parameters (so not a parametrized query, because no "?" placeholder), it will prepare the statement but not protect against SQL injection. Right ?makhttps://www.blogger.com/profile/06716139407446306697noreply@blogger.comtag:blogger.com,1999:blog-3842354435184362707.post-31358366202555037262011-08-11T19:34:50.126-07:002011-08-11T19:34:50.126-07:00Thanks Raj!Thanks Raj!Jordannoreply@blogger.comtag:blogger.com,1999:blog-3842354435184362707.post-4630505479707215092011-08-11T15:44:51.608-07:002011-08-11T15:44:51.608-07:00@Jordan, Performance wise prepared statements inte...@Jordan, Performance wise prepared statements internally have a pool and they cache SQL queries that are optimized that being said I personally would not recommend using it where ever you could use EJBs but if EJBs is not an option or if you have multiple tables. I can't think of any huge performance issues. Also internally it uses the same connection pool and JDBC datasource and so you could use the flush method to flush the EJBCache down the pipe.Raj Sanghvihttps://www.blogger.com/profile/14307025096445781606noreply@blogger.comtag:blogger.com,1999:blog-3842354435184362707.post-65004984878083420322011-08-11T15:37:41.009-07:002011-08-11T15:37:41.009-07:00@Jofeemannen It is recommended as an OWASP practic...@Jofeemannen It is recommended as an OWASP practice to use PreparedStatements and parametrize queries, if definitely defends a lot of SQL Injection, I can't say it completely eliminates.Raj Sanghvihttps://www.blogger.com/profile/14307025096445781606noreply@blogger.comtag:blogger.com,1999:blog-3842354435184362707.post-82569314875833721342011-08-11T06:55:36.906-07:002011-08-11T06:55:36.906-07:00What are the performance implications of using the...What are the performance implications of using the ServerJDBCHelperAccessBean? Does it use the connection pool?Jordannoreply@blogger.comtag:blogger.com,1999:blog-3842354435184362707.post-26443033032881187192011-08-08T01:27:28.536-07:002011-08-08T01:27:28.536-07:00You are saying "Internally uses preparedState...You are saying "Internally uses preparedStatement" - are you implying that it is safe for SQL injection? Else you have to be VERY careful when you create you query string. If there is untrusted data, anything can happen.Josef Nedstamhttps://www.blogger.com/profile/06314587470778410302noreply@blogger.com