[Esapi-user] [OWASP-ESAPI] Any codec for Sybase?

Jim Manico jim.manico at owasp.org
Thu Sep 16 22:42:45 EDT 2010


They are last resort. There are edge (very edgy) cases where PreparedStatements dramatically harm performance and manual escaping is required. I will review the JavaDoc and explain this in better detail.

-Jim Manico
http://manico.net

On Sep 16, 2010, at 9:29 PM, John Melton <jtmelton at gmail.com> wrote:

> Jim, 
> If the DB encoders are not recommended, should they be removed, or at least deprecated for future removal?  
> 
> Thanks,
> John
> 
> On Thu, Sep 16, 2010 at 10:22 PM, Jim Manico <jim.manico at owasp.org> wrote:
> No to Sybase, and please do NOT use the database encoders! They are a (terrible) last resort (nor can we guarantee perfect SQL Injection protection if you use them to escape dynamic queries).
> 
> If you want complete SQL injection protection, you should be using the Java PreparedStatement class, variable binding, and the latest Sybase JDBC driver.
> 
> Respectfully,
> 
> -Jim Manico
> http://manico.net
> 
> On Sep 16, 2010, at 8:17 PM, Vasten <vasten at gmail.com> wrote:
> 
> > Hi:
> > I see codecs for Oracle and MySQL, is there one for Sybase?
> >
> > Thanks,
> > keith
> > _______________________________________________
> > OWASP-ESAPI mailing list
> > OWASP-ESAPI at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-esapi
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100916/b61582af/attachment.html 


More information about the Esapi-user mailing list