I had a question from the security team at work - does clojure.java.jdbc create / use parameterized queries?

@noisesmith If you use ? in query strings, yes.

(and if you use HoneySQL, it lifts values out of the DSL into query parameters too)

(jdbc/query db-spec ["select * from foobar where v > ? and q = ?" v q]) is a parameterized query.

cool - I suspected that but didn't know enough jdbc / sql to verify - the security person was suspicious that it was just string concatenation

Behind the scenes, clojure.java.jdbc creates a PreparedStatement and sets the supplied values as parameter values on it.

Well, if you do (jdbc/query db-spec [(str "select * from foobar where v > " v " and q = " q)]) then, yeah, that is just string concatenation -- and the values are embedded in the SQL and not parameters.

But that also won't work in the general case anyway (since str of anything but numbers isn't a valid piece of SQL).

yeah, doing string ops inside a query should be a red flag for sure

security people are always suspicious it's just string concatenation tho

I guess I could make a small proof of concept that would work with string concat and breaks with jdbc/query and positional args

(if argument from authority isn't sufficient)