Re: disabling backslash as an escape character in strings

Fri, 09 Apr 2004 14:05:39 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christos Karras wrote:

> Yes, I use JDBC (with the MySQL Connector/J driver). I did not find a
> way in the JDBC API to escape a string before inserting it in a SQL
string.
> The JDBC PreparedStatement class is able to escape parameters (in a
> database specific way) with the setString(parameterIndex, string)
> method, but it's designed for hard-coded insert/update queries.
>
> I use a custom function to generate queries that updates only fields
> that need to be updated, so I can't use PreparedStatement (unless I make
> my code hard to read/modify). The setString() method must be calling a
> MySQL specific escape function internally, but I don't know if there's
> something in JDBC to call that function directly or of it is private.
> Any ideas?

Christos,

There is nothing public in the API that allows you to do this (although
you could just go look at how it is done in
PreparedStatement.setString() since the driver ships with the source).

The JDBC API in general expects that you will build 'ad-hoc' queries
with prepared statements, both for performance and security reasons (SQL
injection).

There are many 'clean' ways of using prepared statements for this,
ranging from rolling your own and keeping track of when you need to
append a string to your query, and replace it with a '?' instead, and go
back and re-substitute all of your strings with .setString() from the
list of subsitutions you've made, to using an ORM that has a
query-builder API, like Hibernate's Criteria API that lets you build SQL
in an object-oriented way, and takes care of all of this behind the scenes.

        -Mark
- --
Mr. Mark Matthews
MySQL AB, Software Development Manager, J2EE and Windows Platforms
Office: +1 708 332 0507
www.mysql.com

Meet the MySQL Team! April 14-16, 2004 http://www.mysql.com/uc2004/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAdxBEtvXNTca6JD8RAijhAKCwS6gcIHrzHwGPEdzMMe30KfSmRgCfY0uK
5AyNbcLE/jKetZloIUg6vC0=
=XfTH
-----END PGP SIGNATURE-----

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]

Reply via email to