Re: How does postgres handle non literal string values

In general, it isn't a good idea to have SQL statements in JSP files. A good practise is using Mode 2. The Struts is a
popular Mode 2 framework. If your application is very small and it won't grow into a big one, you can get around using
Mode 1. In the situation, the SQL tags of JSTL will be a recommeded mechanism.

11/26/2002 8:05:27 AM, "Charles H. Woloszynski" <chw(at)clearmetrix(dot)com> wrote:

>Actually, we use JDBC Prepared Statements for this type of work. You
>put a query with '?' in as placeholders and then add in the values and
>the library takes care of the encoding issues. This avoids the double
>encoding of (encode X as String, decode string and encode as SQL X on
>the line). There was a good article about a framework that did this in
>JavaReport about a 18 months ago.
>
>We have gleaned some ideas from that article to create a framework
>around using PreparedStatements as the primary interface to the
>database. I'd suggest looking at them. They really make your code much
>more robust.
>
>Charlie
>
>
>>"')..."
>>
>>You *will* want to escape the username and password otherwise I'll be able to
>>come along and insert any values I like into your database. I can't believe
>>the JDBC classes don't provide
>>
>>1. Some way to escape value strings
>>2. Some form of placeholders to deal with this
>>
>>
>>
>
>--
>
>
>Charles H. Woloszynski
>
>ClearMetrix, Inc.
>115 Research Drive
>Bethlehem, PA 18015
>
>tel: 610-419-2210 x400
>fax: 240-371-3256
>web: www.clearmetrix.com
>
>
>
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 5: Have you checked our extensive FAQ?
>
>http://www.postgresql.org/users-lounge/docs/faq.html
>