| From: | "Charles H(dot) Woloszynski" <chw(at)clearmetrix(dot)com> |
|---|---|
| To: | Richard Huxton <dev(at)archonet(dot)com> |
| Cc: | javaholic <monroy(at)mindspring(dot)com>, pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: How does postgres handle non literal string values |
| Date: | 2002-11-26 16:05:27 |
| Message-ID: | 3DE39BC7.8000603@clearmetrix.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
Actually, we use JDBC Prepared Statements for this type of work. You
put a query with '?' in as placeholders and then add in the values and
the library takes care of the encoding issues. This avoids the double
encoding of (encode X as String, decode string and encode as SQL X on
the line). There was a good article about a framework that did this in
JavaReport about a 18 months ago.
We have gleaned some ideas from that article to create a framework
around using PreparedStatements as the primary interface to the
database. I'd suggest looking at them. They really make your code much
more robust.
Charlie
>"')..."
>
>You *will* want to escape the username and password otherwise I'll be able to
>come along and insert any values I like into your database. I can't believe
>the JDBC classes don't provide
>
>1. Some way to escape value strings
>2. Some form of placeholders to deal with this
>
>
>
--
Charles H. Woloszynski
ClearMetrix, Inc.
115 Research Drive
Bethlehem, PA 18015
tel: 610-419-2210 x400
fax: 240-371-3256
web: www.clearmetrix.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephan Szabo | 2002-11-26 16:11:53 | Re: join question |
| Previous Message | Stephan Szabo | 2002-11-26 16:00:54 | Re: select for update |