Re: Re: [INTERFACES] New code for JDBC driver
| От | Gunnar Rønning |
|---|---|
| Тема | Re: Re: [INTERFACES] New code for JDBC driver |
| Дата | |
| Msg-id | m2elrvu1ji.fsf@smaug.polygnosis.com обсуждение исходный текст |
| Ответ на | Re: [INTERFACES] New code for JDBC driver ("George Koras" <gkoras@cres.gr>) |
| Список | pgsql-jdbc |
* "George Koras" <gkoras@cres.gr> wrote:
| So I guess a solution would be to escape *quotes* and not *semicolons out of
| quotes*, which is the solution I use in my programs and on which comments
| are invited . This also prevents the malicious use Arsanal is talking about,
| doesn't it?
|
| However the PreparedStatement solution (which I haven't tried) seems to be
| more elegant.
|
PreparedStatement is the right solution for this. If you don't trust
your input SQL either use that or do custom escaping on before sending
the SQL to the driver.
I wouldn't like to add another performance bottleneck, especially when it is
not mandated by the spec. The JDBC driver for Sybase works the same way.
regards,
Gunnar
--
Gunnar Rønning - gunnar@polygnosis.com
Senior Consultant, Polygnosis AS, http://www.polygnosis.com/
В списке pgsql-jdbc по дате отправления: