Re: Prepared Statements

Hi,

String fields are escaped (I believe this would cover CHAR, VARCHAR,
etc)

I added the single quotes when binding numbers in my patch for
registerOutParameter and that one is going to be reviewed by Dave.

Cheers,

Kim

On Fri, 2003-07-18 at 11:10, wsheldah@lexmark.com wrote:
>
> If it only skips the escaping for numeric types, the obvious workaround
> would be first put the user's entry into an int variable:
>
> int userId = getUserId();
> PreparedStatement s = c.prepareStatement ("select * from user where id
> = ?");
> s.setObject(1, userId, Types.INTEGER);
>
> That way you use java's built-in type checking to avoid sending non-numeric
> data to the backend any time you're specifying a numeric type that will
> skip the escaping.
>
> Can someone confirm that it at least does do the escaping for
> string/varchar inputs?
>
> Wes Sheldahl
>