Skip site navigation (1) Skip section navigation (2)

Re : Re: secure sql-statments

From: list(at)meinsenf(dot)at
To: mstephenson(at)tirin(dot)openworld(dot)co(dot)uk
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re : Re: secure sql-statments
Date: 2001-11-14 15:14:50
Message-ID: E1641kY-0004zf-00@smtp.inode.at (view raw or flat)
Thread:
Lists: pgsql-jdbc
>> what characters do I have to quote, so that the client can't submit
>> evil sql-statments?
>
>I believe the only characters you need to escape for postgres are '\'
>and ''', but it is easier to rely on the jdbc driver to do it for you
>by using a prepared statement (assuming your using java 2):
>
>PreparedStatement updateStatement = connection.prepareStatement 
>	("update table_1 set col_1 = ?");
>p.setString(1, postParam_1);

ok - I can do this for a specific update-statement!
but can I do something more general like:
PreparedStatement updateStatement = connection.prepareStatement 
"update ? set ? = ? where ? = ?"
and if so - is this still secure!

thanks
michael

pgsql-jdbc by date

Next:From: Dave CramerDate: 2001-11-14 20:01:07
Subject: Patch to fix getIndex for forte's transparent persistence
Previous:From: Michael StephensonDate: 2001-11-14 12:49:05
Subject: Re: secure sql-statments

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group