Re: Re: [INTERFACES] New code for JDBC driver

Yes, I agree that it certainly has to be done before SQL is sent to the
driver, i.e. in the middle tier!
Is it a performance bottleneck? Would PreparedStatement be more efficient?

----- Original Message -----
From: Gunnar Rψnning <gunnar(at)polygnosis(dot)com>
To: George Koras <gkoras(at)cres(dot)gr>
Cc: Barry Lind <barry(at)xythos(dot)com>; Arsalan Zaidi <azaidi(at)directi(dot)com>;
PostgreSQL jdbc list <pgsql-jdbc(at)postgresql(dot)org>
Sent: Thursday, July 05, 2001 1:13 PM
Subject: Re: [JDBC] Re: [INTERFACES] New code for JDBC driver

> * "George Koras" <gkoras(at)cres(dot)gr> wrote:
>
> | So I guess a solution would be to escape *quotes* and not *semicolons
out of
> | quotes*, which is the solution I use in my programs and on which
comments
> | are invited . This also prevents the malicious use Arsanal is talking
about,
> | doesn't it?
> |
> | However the PreparedStatement solution (which I haven't tried) seems to
be
> | more elegant.
> |
>
> PreparedStatement is the right solution for this. If you don't trust
> your input SQL either use that or do custom escaping on before sending
> the SQL to the driver.
>
> I wouldn't like to add another performance bottleneck, especially when it
is
> not mandated by the spec. The JDBC driver for Sybase works the same way.
>
> regards,
>
> Gunnar
> --
> Gunnar Rψnning - gunnar(at)polygnosis(dot)com
> Senior Consultant, Polygnosis AS, http://www.polygnosis.com/
>