| From: | Gunnar Rønning <gunnar(at)polygnosis(dot)com> |
|---|---|
| To: | "George Koras" <gkoras(at)cres(dot)gr> |
| Cc: | "Barry Lind" <barry(at)xythos(dot)com>, "Arsalan Zaidi" <azaidi(at)directi(dot)com>, "PostgreSQL jdbc list" <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Re: [INTERFACES] New code for JDBC driver |
| Date: | 2001-07-05 10:13:05 |
| Message-ID: | m2elrvu1ji.fsf@smaug.polygnosis.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-interfaces pgsql-jdbc |
* "George Koras" <gkoras(at)cres(dot)gr> wrote:
| So I guess a solution would be to escape *quotes* and not *semicolons out of
| quotes*, which is the solution I use in my programs and on which comments
| are invited . This also prevents the malicious use Arsanal is talking about,
| doesn't it?
|
| However the PreparedStatement solution (which I haven't tried) seems to be
| more elegant.
|
PreparedStatement is the right solution for this. If you don't trust
your input SQL either use that or do custom escaping on before sending
the SQL to the driver.
I wouldn't like to add another performance bottleneck, especially when it is
not mandated by the spec. The JDBC driver for Sybase works the same way.
regards,
Gunnar
--
Gunnar Rønning - gunnar(at)polygnosis(dot)com
Senior Consultant, Polygnosis AS, http://www.polygnosis.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | George Koras | 2001-07-05 10:20:40 | Re: Re: [INTERFACES] New code for JDBC driver |
| Previous Message | Cedar Cox | 2001-07-05 08:34:43 | Re: non-us datestyle |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | George Koras | 2001-07-05 10:20:40 | Re: Re: [INTERFACES] New code for JDBC driver |
| Previous Message | George Koras | 2001-07-05 08:32:00 | Re: [INTERFACES] New code for JDBC driver |