Re: How does postgres handle non literal string values

Vernon:

Agreed. We use Struts (as our MVC framework), and then a data access
layer (we call persistables) that uses the PreparedStatements. Our JSPs
only get data to render *after* the business logic has decided that all
logic has been performed successfully.

The end-result is easily compartmentalized code (lots of code factoring)
that makes for very robust applications. We are working on moving this
framework to PostgreSQL (from Oracle) and we expect to have to touch the
SQL statements (which are each in their own class, again for re-use) and
perhaps two or three other classes to deal with any JDBC driver issues.
When we make the transition successfully, I hope to be able to
publicize the work and the value of PostgreSQL.

Charlie

Vernon Wu wrote:

>In general, it isn't a good idea to have SQL statements in JSP files. A good practise is using Mode 2. The Struts is a
>popular Mode 2 framework. If your application is very small and it won't grow into a big one, you can get around using
>Mode 1. In the situation, the SQL tags of JSTL will be a recommeded mechanism.
>
>11/26/2002 8:05:27 AM, "Charles H. Woloszynski" <chw(at)clearmetrix(dot)com> wrote:
>
>
>
>>Actually, we use JDBC Prepared Statements for this type of work. You
>>put a query with '?' in as placeholders and then add in the values and
>>the library takes care of the encoding issues. This avoids the double
>>encoding of (encode X as String, decode string and encode as SQL X on
>>the line). There was a good article about a framework that did this in
>>JavaReport about a 18 months ago.
>>
>>We have gleaned some ideas from that article to create a framework
>>around using PreparedStatements as the primary interface to the
>>database. I'd suggest looking at them. They really make your code much
>>more robust.
>>
>>Charlie
>>
>>
>>
>>
>>>"')..."
>>>
>>>You *will* want to escape the username and password otherwise I'll be able to
>>>come along and insert any values I like into your database. I can't believe
>>>the JDBC classes don't provide
>>>
>>>1. Some way to escape value strings
>>>2. Some form of placeholders to deal with this
>>>
>>>
>>>
>>>
>>>
>>--
>>
>>
>>Charles H. Woloszynski
>>
>>ClearMetrix, Inc.
>>115 Research Drive
>>Bethlehem, PA 18015
>>
>>tel: 610-419-2210 x400
>>fax: 240-371-3256
>>web: www.clearmetrix.com
>>
>>
>>
>>
>>
>>---------------------------(end of broadcast)---------------------------
>>TIP 5: Have you checked our extensive FAQ?
>>
>>http://www.postgresql.org/users-lounge/docs/faq.html
>>
>>
>>
>
>
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 6: Have you searched our list archives?
>
>http://archives.postgresql.org
>
>

--

Charles H. Woloszynski

ClearMetrix, Inc.
115 Research Drive
Bethlehem, PA 18015

tel: 610-419-2210 x400
fax: 240-371-3256
web: www.clearmetrix.com