| From: | Kevin Grittner <kgrittn(at)ymail(dot)com> |
|---|---|
| To: | David Johnston <polobo(at)yahoo(dot)com>, "pgsql-jdbc(at)postgresql(dot)org" <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: single quotation confusion |
| Date: | 2013-04-07 14:11:22 |
| Message-ID: | 1365343882.92008.YahooMailNeo@web162902.mail.bf1.yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
David Johnston <polobo(at)yahoo(dot)com> wrote:
> R10 wrote
>> for example if a String txt = "it's cold" and to be inserted
>> into a sql query "insert into test values ('"+txt+"')";
>> it gives me
>> syntax error at or near "s"
>>
>> any ideas how to solve that problem ??
>
> In short you do not build queries by directly concatenating
> user-supplied data. You use a PREPARED STATEMENT with
> placeholders and then use the setXXX methods to map the data.
>
> SQL: INSERT INTO test VALUES (?)
Yeah, David's suggestion is the way to go. Trying to handle this
in an ad hoc fashion opens you to a class of attack known as "SQL
injection". When concatenating without proper handling of quotes
(which drivers will do for you) you should consider yourself
*lucky* if the worst you have seen is errors.
The above link also illustrates why you shouldn't run the
application under a user ID which has permission to execute DML.
--
Kevin Grittner
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Wooten | 2013-04-08 10:54:37 | Update on new driver progress |
| Previous Message | David Johnston | 2013-04-07 01:10:44 | Re: single quotation confusion |