Skip site navigation (1) Skip section navigation (2)

Re: secure sql-statments

From: Michael Stephenson <mstephenson(at)tirin(dot)openworld(dot)co(dot)uk>
To: <list(at)meinsenf(dot)at>
Cc: <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: secure sql-statments
Date: 2001-11-14 12:49:05
Message-ID: Pine.LNX.4.30.0111141235260.593-100000@tirin.openworld.co.uk (view raw or flat)
Thread:
Lists: pgsql-jdbc
> what characters do I have to quote, so that the client can't submit
> evil sql-statments?

I believe the only characters you need to escape for postgres are '\\'
and '\'', but it is easier to rely on the jdbc driver to do it for you
by using a prepared statement (assuming your using java 2):

PreparedStatement updateStatement = connection.prepareStatement
	("update table_1 set col_1 = ?");
p.setString(1, postParam_1);

Doing it this way means there is less to worry about if you ever change
database backends (they might need differing characters escaped), and
the code has already had extensive testing.

Michael

Web Applications Developer
Open World Ltd, The Old Malthouse, Clarence Street, Bath, BA1 5NS.
Tel: +44 1225 444950                           Fax: +44 1225 336738
http://www.openworld.org/


In response to

pgsql-jdbc by date

Next:From: listDate: 2001-11-14 15:14:50
Subject: Re : Re: secure sql-statments
Previous:From: listDate: 2001-11-14 11:52:37
Subject: secure sql-statments

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group