Re: Prepared Statements
| От | Felipe Schnack |
|---|---|
| Тема | Re: Prepared Statements |
| Дата | |
| Msg-id | 20030718131411.1ebe4847.felipes@ritterdosreis.br обсуждение исходный текст |
| Ответ на | Re: Prepared Statements (Csaba Nagy <nagy@ecircle-ag.com>) |
| Список | pgsql-jdbc |
In these cases, I just set a single question mark in the query... then I use setObject(index, parameters,
Types.NUMERIC)
In the "parameters" variable I pass the values concatenated, like:
PreparedStatement prep = conn.preparePreparedStatement("SELECT * FROM foo WHERE bar IN (?)");
prep.setObject(1, "1, 2, 3", Types.NUMERIC);
The problem about this technique is that I can't use driver's scaping of Strings... I just hope this keeps working in
futureversions of the driver :-)
There is a way that I can cann driver's scaping methods? Would be nice if they were public.
On 18 Jul 2003 17:32:34 +0200
Csaba Nagy <nagy@ecircle-ag.com> wrote:
> >
> > Well, I guess the bug will have be fixed asap as it is a security risk.
> >
> > What is the proper JDBC way for filling IN lists in prepared statements?
> >
>
> I'm no JDBC expert, but the way we do it: create a prepared statement
> with 100 (or whatever the max nr. of accepted params is) parameter
> placeholders, and set the ones which are actually needed to their
> parameter values, and set the rest to null.
> The nulls will be finally ignored by the database.
> Not the best solution, but it works just fine for us.
>
> Cheers,
> Csaba.
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
--
/~\ The ASCII Felipe Schnack (felipes@ritterdosreis.br)
\ / Ribbon Campaign Analista de Sistemas
X Against HTML Cel.: 51-91287530
/ \ Email! Linux Counter #281893
Centro Universitário Ritter dos Reis
http://www.ritterdosreis.br
ritter@ritterdosreis.br
Fone: 51-32303341
В списке pgsql-jdbc по дате отправления: