| From: | Michael Stephenson <mstephenson(at)tirin(dot)openworld(dot)co(dot)uk> |
|---|---|
| To: | <list(at)meinsenf(dot)at> |
| Cc: | <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: secure sql-statments |
| Date: | 2001-11-14 12:49:05 |
| Message-ID: | Pine.LNX.4.30.0111141235260.593-100000@tirin.openworld.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
> what characters do I have to quote, so that the client can't submit
> evil sql-statments?
I believe the only characters you need to escape for postgres are '\\'
and '\'', but it is easier to rely on the jdbc driver to do it for you
by using a prepared statement (assuming your using java 2):
PreparedStatement updateStatement = connection.prepareStatement
("update table_1 set col_1 = ?");
p.setString(1, postParam_1);
Doing it this way means there is less to worry about if you ever change
database backends (they might need differing characters escaped), and
the code has already had extensive testing.
Michael
Web Applications Developer
Open World Ltd, The Old Malthouse, Clarence Street, Bath, BA1 5NS.
Tel: +44 1225 444950 Fax: +44 1225 336738
http://www.openworld.org/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | list | 2001-11-14 15:14:50 | Re : Re: secure sql-statments |
| Previous Message | list | 2001-11-14 11:52:37 | secure sql-statments |