| From: | Michael Stephenson <mstephenson(at)tirin(dot)openworld(dot)co(dot)uk> |
|---|---|
| To: | PostgreSQL jdbc list <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: [INTERFACES] New code for JDBC driver |
| Date: | 2001-07-11 10:49:26 |
| Message-ID: | Pine.LNX.4.30.0107111146480.14094-100000@tirin.openworld.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-interfaces pgsql-jdbc |
> I agree that it probably is. Unfortunately, as I mentioned in my previous
> post,no one is going to be entering in SQL queries directly through our
> interface. We're not doing it and if someone is, he's up to no good. e.g.
>
> "update users set name='"+name+"'"
>
> If there's a text box in which you enter your name for the first query, I
> can some fun if I enter in
>
> Arsalan'';update funds set money = 100000 where userid =10
>
> Am I right? It's situations like these that I'm trying to prevent. Is there
> a better way?
If I'm not using prepared statements to tend to use something like:
String statement = "update users set name='" + encode(name) + "'";
Where encode is defined as:
/**
* Encode a string suitable for being placed in a query.
*/
final String encode(String dirtyString) {
StringBuffer cleanString = new StringBuffer("");
for (int i = 0; i < dirtyString.length(); i++) {
char c = dirtyString.charAt(i);
cleanString.append(c);
if (c == '\'') {
cleanString.append(c);
}
}
return cleanString.toString();
}
Hope this helps,
Michael Stephenson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Stosberg | 2001-07-11 17:34:00 | Issues with using 7.1 frontend, 7.0 backend? |
| Previous Message | Dave Page | 2001-07-11 07:12:08 | RE: is there a GUI FOR WIN32 |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tim Barnard | 2001-07-11 10:57:29 | Re: vacuum and 24/7 uptime |
| Previous Message | Jon Folland | 2001-07-11 10:42:24 | RE: JDBC Support - prepared Statements? |