Friday, 15 January 2010

java - Some information about the JDBC logic in Spring Framework application -



java - Some information about the JDBC logic in Spring Framework application -

i learning how utilize jdbc within spring application have uncertainty it.

so, allow me explain doubts practial example:

if have class implements dao interface , class contains next method insert new row in pupil table of database:

public void create(string name, integer age) { string sql = "insert pupil (name, age) values (?, ?)"; jdbctemplateobject.update(sql, name, age); system.out.println("created record name = " + name + " age = " + age); return; }

this method have 2 input parameter: name , age related 2 column in database table (name , age)

ok...i think sql string rappresent sql query have executed insert new row in table

i have problem understand means piecce of code: values(?, ?)

i think when phone call update() method on jdbctemplate object passing sql query , name , *age value these ? placeholder replaced these value.

so query can executed.

is right?

is update() method replace these placeholder?

i have read these placeholder used don't have worry escaping values...what means escape value ?

and lastly question utilize of preparedstatment...reading spring documentation have read can pass preparedstatment update() method...what difference? in case spring create new preparedstatment using sql string , 2 input parameter or using different?

it avoid sql injection.

if did this:

"insert pupil (name, age) values ('"+name+"', "+age+")"

consider happen if name "mary', 3), ('john', 13)--"

the query becomes:

insert pupil (name, age) values ('mary', 3), ('john', 13)--', 24)

and when ignore sql comment --:

insert pupil (name, age) values ('mary', 3), ('john', 13)

2 records inserted.

you can of course of study escape or filter name string, error prone , it's easy forget , leave query vulnerable, might utilize prepared statements create impossible.

escaping means prepending escape character before sql meta character meaning changes.

if escaped name, query be:

insert pupil (name, age) values ('\', 3), (\'john\', 13)--', 24)

i.e name literally "', 3), ('john', 13)--" , no sql injection happened.

java spring spring-mvc jdbc prepared-statement

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)