From: | Richard Huxton <dev(at)archonet(dot)com> |
---|---|
To: | monroy(at)mindspring(dot)com (javaholic), pgsql-sql(at)postgresql(dot)org |
Subject: | Re: How does postgres handle non literal string values |
Date: | 2002-11-26 15:35:02 |
Message-ID: | 200211261535.02419.dev@archonet.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
On Monday 25 Nov 2002 12:57 pm, javaholic wrote:
> Hi All,
>
> I have some jsp code that should insert a user name and password into
> a table called login.
>
> Instead of inserting the values given by the client, it insert the
> literal string 'username' and 'password. The problem is somewhere in
> the INSERT statement.
> String insertString =
> "INSERT INTO \"login\" (\'user\', \'password\')
> VALUES ('username', 'password')";
You're creating an insertString with the literal words "username" and
"password" in them. This is a java issue, not a PG issue. You'll want
something like (sorry if syntax is wrong, but I don't do Java):
String insertString = "Insert INTO ... VALUES ('" + sql_escaped(username) +
"')..."
You *will* want to escape the username and password otherwise I'll be able to
come along and insert any values I like into your database. I can't believe
the JDBC classes don't provide
1. Some way to escape value strings
2. Some form of placeholders to deal with this
--
Richard Huxton
From | Date | Subject | |
---|---|---|---|
Next Message | Richard Huxton | 2002-11-26 15:36:58 | Re: SQL -select count- |
Previous Message | Peter Gulutzan | 2002-11-26 15:30:12 | Re: [GENERAL] Bug with sequence |