Skip site navigation (1) Skip section navigation (2)

Re: String escaping?

From: Markus Schaber <schabi(at)logix-tt(dot)com>
To: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: String escaping?
Date: 2006-12-14 12:27:33
Message-ID: 20061214132733.709740ba@kingfisher.sec.intern.logix-tt.com (view raw or flat)
Thread:
Lists: pgsql-jdbc
Hi, Vit,

Vit Timchishin <tivvpgsqljdbc(at)gtech-ua(dot)com> wrote:

> > I always thought that the Strings that I set with setString() don't
> > have to be escaped at all, the Driver will handle it transparently (by
> > either escaping for V2 protocol, or using BIND with the appropriate
> > encoding).
> >
> > But, of course, when I have a String Literal in the source, I need to
> > add a layer of Java escaping for ", \, and some others.
> >
> >   
> I suppose you've missed the main: "you need to escape only when you are
> using LIKE".

Yes, the LIKE specific escaping will stay there, but that layer is
independent of statement-level escaping.

What I wanted to show was: When you create your queries via String
concatenation, you have to implement the statement-level escaping
yourself, with prepared statements, the driver should completely handle
it.

That's independent of source-level escaping for String literals in
Java, and function-specific escaping inside the text for LIKE or
strings in function definitions.



Regards,
Markus

-- 
Markus Schaber | Logical Tracking&Tracing International AG
Dipl. Inf.     | Software Development GIS

Fight against software patents in Europe! www.ffii.org
www.nosoftwarepatents.org

In response to

pgsql-jdbc by date

Next:From: Ken JohansonDate: 2006-12-14 15:38:26
Subject: Re: Synthesize support for Statement.getGeneratedKeys()?
Previous:From: Vit TimchishinDate: 2006-12-14 11:12:15
Subject: Re: String escaping?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group