Re: [SQL] How does postgres handle non literal string values

Charles H. Woloszynski Tue, 26 Nov 2002 08:06:56 -0800

Actually, we use JDBC Prepared Statements for this type of work. You put a query with '?' in as placeholders and then add in the values and the library takes care of the encoding issues. This avoids the double encoding of (encode X as String, decode string and encode as SQL X on the line). There was a good article about a framework that did this in JavaReport about a 18 months ago.
We have gleaned some ideas from that article to create a framework around using PreparedStatements as the primary interface to the database. I'd suggest looking at them. They really make your code much more robust.

Charlie

"')..."

You *will* want to escape the username and password otherwise I'll be able to come along and insert any values I like into your database. I can't believe the JDBC classes don't provide
1. Some way to escape value strings
2. Some form of placeholders to deal with this

--


Charles H. Woloszynski

ClearMetrix, Inc.
115 Research Drive
Bethlehem, PA 18015

tel: 610-419-2210 x400
fax: 240-371-3256
web: www.clearmetrix.com





---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html

Re: [SQL] How does postgres handle non literal string values

Reply via email to