Yes, I agree that it certainly has to be done before SQL is sent to the
driver, i.e. in the middle tier!
Is it a performance bottleneck? Would PreparedStatement be more efficient?
----- Original Message -----
From: Gunnar Rψnning <gunnar@polygnosis.com>
To: George Koras <gkoras@cres.gr>
Cc: Barry Lind <barry@xythos.com>; Arsalan Zaidi <azaidi@directi.com>;
PostgreSQL jdbc list <pgsql-jdbc@postgresql.org>
Sent: Thursday, July 05, 2001 1:13 PM
Subject: Re: [JDBC] Re: [INTERFACES] New code for JDBC driver
> * "George Koras" <gkoras@cres.gr> wrote:
>
> | So I guess a solution would be to escape *quotes* and not *semicolons
out of
> | quotes*, which is the solution I use in my programs and on which
comments
> | are invited . This also prevents the malicious use Arsanal is talking
about,
> | doesn't it?
> |
> | However the PreparedStatement solution (which I haven't tried) seems to
be
> | more elegant.
> |
>
> PreparedStatement is the right solution for this. If you don't trust
> your input SQL either use that or do custom escaping on before sending
> the SQL to the driver.
>
> I wouldn't like to add another performance bottleneck, especially when it
is
> not mandated by the spec. The JDBC driver for Sybase works the same way.
>
> regards,
>
> Gunnar
> --
> Gunnar Rψnning - gunnar@polygnosis.com
> Senior Consultant, Polygnosis AS, http://www.polygnosis.com/
>