Re: escape string for pgsql (using jdbc/java)?

From: Oliver Jowett <oliver(at)opencloud(dot)com>
To: Tobias Thierer <t_thierer(at)yahoo(dot)de>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: escape string for pgsql (using jdbc/java)?
Date: 2007-01-28 22:53:01
Message-ID: 45BD294D.5040002@opencloud.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

Tobias Thierer wrote:
> Kris Jurka wrote:
>
>>> 1.) Is there a built-in method somewhere in the jdbc driver that
>>> escapes
>>> strings and makes them safe to use in an SQL statement (inside a
>>> string)?
>>
>>
>> There is org.postgresql.core.Utils#appendEscapedString, but it's not
>> something we support or advertise. It's really for internal use only.
>
>
> I dislike that this method expects me to tell it whether i have
> standard_conforming_strings set - this kinda defeats the "write once,
> run everywhere" principle.

If you want something portable just use PreparedStatement.setString()
and parameter placeholders. The "preparation" overhead you are worrying
about is not really an issue as the PreparedStatement implementation is
designed to handle one-shot queries as well as reused queries
efficiently .. since PreparedStatement is often used just for parameter
value interpolation to avoid exactly the issues you are encountering.

-O

In response to

Responses

Browse pgsql-jdbc by date

  From Date Subject
Next Message Tobias Thierer 2007-01-29 23:27:48 Re: escape string for pgsql (using jdbc/java)?
Previous Message Kris Jurka 2007-01-28 22:36:39 Re: Strange result from DatabaseMetaData.getTablePrivileges()