Fork me on GitHub
#sql
<
2020-12-27
>
Norman Ziebal01:12:44

Heya, I have a short question about java.jdbc. In the example this is provided:

(j/query mysql-db
  ["select * from fruit where appearance = ?" "rosy"]
  {:row-fn :cost})
Are all arguments escaped in order to prevent sql injections? (I am sorry maybe its trivial, but I wasn't able to find anything regarding escaping in the docs 😞 )

Timur Latypoff08:12:50

So the short answer is “Yes”, this way of passing arguments prevents SQL injections and is recommended” :)

👍 3
hiredman02:12:18

Under the hood clojure.java.jdbc and next.jdbc both use PreparedStatement objects, which you can read about here: https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html

hiredman02:12:34

The relevant bit is "Prepared statements always treat client-supplied data as content of a parameter and never as a part of an SQL statement."