geoffc;2139607 Wrote:
> On 9/20/2011 11:46 AM, 42sd wrote:
> The docs explain how, and I excerpted that into an article:
> 'Calling Stored Procedures with the IDM JDBC Driver | Novell User
> Communities'
> (
> 'Using the JDBC Driver and Direct SQL | Novell User Communities'
> (

Sorry to resurrect this thread, but I have a very similar problem to
the original poster and I didn't see anything in the JDBC driver
documentation or in two articles posted above that addresses the issue.

I need to send a custom query to the database, and I am also concerned
about the possibility of a sql injection attack. Using the
<jdbc:statement> with a <jdbc:sql> element is not satisfactory because
it sends a dynamic query to the database using the
java.sql.Statement.executeQuery(Sring sql) method, which is vulnerable
to SQL injection attacks. Like the OP, using <jdbc:call-procedure> or
<jdbc:call-funtion> is also not an option because they can only be used
to invoke stored procedures or functions in the database, and I my case
getting a custom stored procedure or function added to the database just
to facilitate IDM syncing is not going to happen.

Ideally I would like to be able to just create a prepared statement,
populate the parameters with appropriate values and have the driver
execute the corresponding java.sql.PreparedStatement.executeQuery().

I imagine having something in the policy looking similar to:

<jdbc:sql->select a1, a2 from table where b1 = ? and b2 =

Is there any way that I can achieve the the intent of what I've written
above with the current JDBC driver?



wcatlyn's Profile:
View this thread: