>> what characters do I have to quote, so that the client can't submit
>> evil sql-statments?
>
>I believe the only characters you need to escape for postgres are '\'
>and ''', but it is easier to rely on the jdbc driver to do it for you
>by using a prepared statement (assuming your using java 2):
>
>�PreparedStatement updateStatement = connection.prepareStatement
> ("update table_1 set col_1 = ?");
>p.setString(1, postParam_1);
ok - I can do this for a specific update-statement!
but can I do something more general like:
PreparedStatement updateStatement = connection.prepareStatement
"update ? set ? = ? where ? = ?"
and if so - is this still secure!
thanks
michael