This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2019-01-18
Channels
- # aleph (1)
- # announcements (2)
- # aws (4)
- # beginners (73)
- # boot (2)
- # boot-dev (3)
- # cider (6)
- # cljs-dev (40)
- # clojure (64)
- # clojure-austin (2)
- # clojure-belgium (1)
- # clojure-dev (25)
- # clojure-estonia (1)
- # clojure-europe (16)
- # clojure-italy (11)
- # clojure-nl (4)
- # clojure-spec (90)
- # clojure-sweden (2)
- # clojure-uk (105)
- # clojurescript (58)
- # core-async (10)
- # cursive (23)
- # data-science (1)
- # datascript (3)
- # datomic (14)
- # duct (11)
- # fulcro (48)
- # graphql (1)
- # hyperfiddle (3)
- # kaocha (95)
- # liberator (1)
- # lumo (6)
- # nrepl (1)
- # off-topic (14)
- # onyx (2)
- # overtone (8)
- # portkey (3)
- # re-frame (31)
- # reagent (6)
- # shadow-cljs (185)
- # sql (12)
- # tools-deps (6)
- # vim (6)
- # yada (224)
I had a question from the security team at work - does clojure.java.jdbc create / use parameterized queries?
@noisesmith If you use ?
in query strings, yes.
(and if you use HoneySQL, it lifts values out of the DSL into query parameters too)
(jdbc/query db-spec ["select * from foobar where v > ? and q = ?" v q])
is a parameterized query.
cool - I suspected that but didn't know enough jdbc / sql to verify - the security person was suspicious that it was just string concatenation
Behind the scenes, clojure.java.jdbc
creates a PreparedStatement
and sets the supplied values as parameter values on it.
Well, if you do (jdbc/query db-spec [(str "select * from foobar where v > " v " and q = " q)])
then, yeah, that is just string concatenation -- and the values are embedded in the SQL and not parameters.
But that also won't work in the general case anyway (since str
of anything but numbers isn't a valid piece of SQL).
yeah, doing string ops inside a query should be a red flag for sure
I guess I could make a small proof of concept that would work with string concat and breaks with jdbc/query and positional args
(if argument from authority isn't sufficient)