Aaron Porter wrote:
> > This makes the JDBC driver take care of the embedded single
> > quote, which it
> > will do in whatever manner is appropriate for the database
> > you are running on.
>
> I don't think any JDBC drivers actually escape characters when you are using
> a PreparedStatement. The parameters are actually placed using function calls
> to the DB instead of replacing the question marks in the SQL statement.
> PreparedStatements are much more flexible than normal Statements and I use
> them for all but the simplest queries.
>
Just for one example, check out the source code for Mark Matthews's *excellent*
JDBC driver for MySQL. In the PreparedStatement.setString() class, he very
carefully scans for delimiters that will cause problems, and escapes them the
way that MySQL wants them.
I (obviously) don't have the source, but my experience is that Oracle's JDBC
driver does this as well.
>
> Aaron
>
Craig
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
