Hi all,
> Has anybody had to deal with users entering sql statements
> in fields not intended to?
Yes, and there is actually just one safe way to deal with this:
Dynamic SQL. Replace the user data with "?" or whatever the database
uses (I think Oracle uses ":1", ":2, etc), and use setParameter()
to set the real values. Same thing works for getting the data back.
Not only does this make it possible to use quotes within the data, it
is the _only_ way that always works with those annoying chars above
127 that we tend to use in various places in Europe. I don't know
how hard it would be to modify Peer to do this, though.
This method also makes it possible to cache the precompiled statements,
which helps performance somewhat.
I wish I had time to add this to Turbine, but I have a more or less
working version in C++ of it at qbf.sourceforge.net.
/Basic
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
