Re: Prepared Statements
| От | Felipe Schnack |
|---|---|
| Тема | Re: Prepared Statements |
| Дата | |
| Msg-id | 20030718151623.3e317654.felipes@ritterdosreis.br обсуждение исходный текст |
| Ответ на | Re: Prepared Statements (Dmitry Tkach <dmitry@openratings.com>) |
| Список | pgsql-jdbc |
I just can't understand why a call to setObject(1, someString, Types.NUMERIC) would scape the contents of my "someString"variable, as I specified that it's a number On Fri, 18 Jul 2003 13:53:39 -0400 Dmitry Tkach <dmitry@openratings.com> wrote: > Kim Ho wrote: > > >Can't you instead use setString(1, "x'a'")? > > > Nope - that will get converted into ... where id='x\'a\'' - that won't > be understood by the backend - it wants it *exactly* that way - x > outside the quotes, followed by a quoted hexademical number... > > > > >If not, this also brings up another thing. Did you want to treat "x'a'" > >as a number now? > > > Yes, I did (and still do) :-) > > > > >In any case, here is a revised version of the patch. =) Thanks for the > >pointers. > > > I must be missing something, but I don't see any difference with the > previous version .... > > > > >Also, the remove radix thing is not meant for preventing SQL injection. > >It is meant for this like: > > > >create function integer_in(integer) .... > > > >and then using things like select integer_in(1.11231E9) > > > I understand that. I was just saying that adding quotes around the input > doesn't help much in preventing injections, but does take away valuable > functionality... > > Dima > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html -- /~\ The ASCII Felipe Schnack (felipes@ritterdosreis.br) \ / Ribbon Campaign Analista de Sistemas X Against HTML Cel.: 51-91287530 / \ Email! Linux Counter #281893 Centro Universitário Ritter dos Reis http://www.ritterdosreis.br ritter@ritterdosreis.br Fone: 51-32303341
В списке pgsql-jdbc по дате отправления: