Re: How does postgres handle non literal string values
Charles H. Woloszynski <chw@clearmetrix.com>
From: "Charles H. Woloszynski" <chw@clearmetrix.com>
To: Richard Huxton <dev@archonet.com>
Cc: javaholic <monroy@mindspring.com>, pgsql-sql@postgresql.org
Date: 2002-11-26T16:05:27Z
Lists: pgsql-sql
Actually, we use JDBC Prepared Statements for this type of work. You put a query with '?' in as placeholders and then add in the values and the library takes care of the encoding issues. This avoids the double encoding of (encode X as String, decode string and encode as SQL X on the line). There was a good article about a framework that did this in JavaReport about a 18 months ago. We have gleaned some ideas from that article to create a framework around using PreparedStatements as the primary interface to the database. I'd suggest looking at them. They really make your code much more robust. Charlie >"')..." > >You *will* want to escape the username and password otherwise I'll be able to >come along and insert any values I like into your database. I can't believe >the JDBC classes don't provide > >1. Some way to escape value strings >2. Some form of placeholders to deal with this > > > -- Charles H. Woloszynski ClearMetrix, Inc. 115 Research Drive Bethlehem, PA 18015 tel: 610-419-2210 x400 fax: 240-371-3256 web: www.clearmetrix.com