Fork me on GitHub
Norman Ziebal01:12:44

Heya, I have a short question about java.jdbc. In the example this is provided:

(j/query mysql-db
  ["select * from fruit where appearance = ?" "rosy"]
  {:row-fn :cost})
Are all arguments escaped in order to prevent sql injections? (I am sorry maybe its trivial, but I wasn't able to find anything regarding escaping in the docs 😞 )

Timur Latypoff08:12:50

So the short answer is “Yes”, this way of passing arguments prevents SQL injections and is recommended” :)

👍 3

Under the hood and next.jdbc both use PreparedStatement objects, which you can read about here:


The relevant bit is "Prepared statements always treat client-supplied data as content of a parameter and never as a part of an SQL statement."