Re: [INTERFACES] New code for JDBC driver
| От | Michael Stephenson |
|---|---|
| Тема | Re: [INTERFACES] New code for JDBC driver |
| Дата | |
| Msg-id | Pine.LNX.4.30.0107111146480.14094-100000@tirin.openworld.co.uk обсуждение исходный текст |
| Ответ на | Re: [INTERFACES] New code for JDBC driver ("Arsalan Zaidi" <azaidi@directi.com>) |
| Список | pgsql-jdbc |
> I agree that it probably is. Unfortunately, as I mentioned in my previous
> post,no one is going to be entering in SQL queries directly through our
> interface. We're not doing it and if someone is, he's up to no good. e.g.
>
> "update users set name='"+name+"'"
>
> If there's a text box in which you enter your name for the first query, I
> can some fun if I enter in
>
> Arsalan'';update funds set money = 100000 where userid =10
>
> Am I right? It's situations like these that I'm trying to prevent. Is there
> a better way?
If I'm not using prepared statements to tend to use something like:
String statement = "update users set name='" + encode(name) + "'";
Where encode is defined as:
/**
* Encode a string suitable for being placed in a query.
*/
final String encode(String dirtyString) {
StringBuffer cleanString = new StringBuffer("");
for (int i = 0; i < dirtyString.length(); i++) {
char c = dirtyString.charAt(i);
cleanString.append(c);
if (c == '\'') {
cleanString.append(c);
}
}
return cleanString.toString();
}
Hope this helps,
Michael Stephenson
В списке pgsql-jdbc по дате отправления: