This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2020-12-27
Channels
- # adventofcode (7)
- # announcements (31)
- # babashka (15)
- # beginners (14)
- # calva (45)
- # circleci (6)
- # clojure (27)
- # clojure-europe (19)
- # clojure-france (2)
- # clojure-gamedev (4)
- # clojure-uk (2)
- # clojurescript (26)
- # conjure (14)
- # data-science (6)
- # deps-new (7)
- # depstar (4)
- # emacs (13)
- # events (1)
- # fulcro (20)
- # graalvm (2)
- # hoplon (30)
- # joker (11)
- # london-clojurians (1)
- # malli (26)
- # pathom (2)
- # re-frame (13)
- # reagent (8)
- # reclojure (3)
- # reveal (8)
- # robots (4)
- # shadow-cljs (29)
- # sql (5)
- # tools-deps (28)
- # vim (4)
Heya, I have a short question about java.jdbc. In the example this is provided:
(j/query mysql-db
["select * from fruit where appearance = ?" "rosy"]
{:row-fn :cost})
Are all arguments escaped in order to prevent sql injections? (I am sorry maybe its trivial, but I wasn't able to find anything regarding escaping in the docs 😞 )So the short answer is “Yes”, this way of passing arguments prevents SQL injections and is recommended” :)
👍 3
Under the hood clojure.java.jdbc and next.jdbc both use PreparedStatement objects, which you can read about here: https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
The relevant bit is "Prepared statements always treat client-supplied data as content of a parameter and never as a part of an SQL statement."
So the short answer is “Yes”, this way of passing arguments prevents SQL injections and is recommended” :)
👍 3
Thank you!