It WOULD be interesting if that's what I did. I actually didn't end up using any bound parameters; just dynamically created the statement. Are you required to use a prepared statement? If so, I'd be interested in why -- it may be somethig I need to do with my app as well. Sorry I can't be more help...
How are you protecting against SQL Injection attacks?
<esql:query>select * from foo where foo.x = '<xsp-request:get-parameter name="bar"/>'</esql:query>
if you take myVar in any way from a request parameter, what happens if I pass in a value like bar=abc;delete%20from%20foo (try it on your app).
if you are not _very skillfully_ protecting against unexpected injection of unwanted sql in that form and every variant of it using escaped characters, funny unicode, etc. then you are wide open to sql injection. parameterized statements in jdbc provide a very good measure of protection against this kind of stuff.
Geoff
I ran into the same problem and ended up building the entire sql statement in a String variable within an <xsp:logic> block.
When you did this, where you also using the <esql:parameter> tags to bind parameters? If you were, it sounds like many people would be interested in seeing the example.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
