On Fri, 6 Sep 2002, David Castro wrote:
> > PreparedStatement ps=conn.
> > prepareStatement("insert into tablename values (?,?,?)");
> > ps.setString(1, "O'Donnell"); // correctly escaped
> > ps.setTimestamp(2, new Timestamp(myDate.getTime()));
> > ps.setInt(3, 4);
> > ps.executeUpdate();
> >
> > I'm typing from memory and a bit blurry, so some method names may be
> > incomplete but note how much work I put into converting the apostrophes, and
> > how hard I had to try to get the date formatted properly. For any compliant
> > JDBC driver, this code will work as intended, and I didn't have to do
> > anything for it. Welcome to Java.
>
> Another option is to use the Jakarta DBTags tag library
> (http://jakarta.apache.org/taglibs/doc/dbtags-doc/intro.html), which has a
> <sql:escapeSql> tag that handles all of the conversion stuff for you, too.
Just for completeness, I should probably also point out that those using
JSP 1.2 containers might want to look at JSTL's database tags instead of
those in DBTags. JSTL is specified to use PreparedStatement, which
addresses the problem implicitly; you can use a <sql:param> tag to
parameterize queries.
(Development of DBTags has effectively halted, having restricted itself to
JSP 1.1 intentionally to let JSTL supercede it for JSP 1.2.)
For more information, see
http://jakarta.apache.org/taglibs
for both DBTags and Jakarta Taglibs's implementation of JSTL.
--
Shawn Bayern
"JSTL in Action" http://www.jstlbook.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
