Re: How does postgres handle non literal string values
| От | Richard Huxton |
|---|---|
| Тема | Re: How does postgres handle non literal string values |
| Дата | |
| Msg-id | 200211261535.02419.dev@archonet.com обсуждение исходный текст |
| Ответ на | How does postgres handle non literal string values (monroy@mindspring.com (javaholic)) |
| Список | pgsql-sql |
On Monday 25 Nov 2002 12:57 pm, javaholic wrote:
> Hi All,
>
> I have some jsp code that should insert a user name and password into
> a table called login.
>
> Instead of inserting the values given by the client, it insert the
> literal string 'username' and 'password. The problem is somewhere in
> the INSERT statement.
> String insertString =
> "INSERT INTO \"login\" (\'user\', \'password\')
> VALUES ('username', 'password')";
You're creating an insertString with the literal words "username" and
"password" in them. This is a java issue, not a PG issue. You'll want
something like (sorry if syntax is wrong, but I don't do Java):
String insertString = "Insert INTO ... VALUES ('" + sql_escaped(username) +
"')..."
You *will* want to escape the username and password otherwise I'll be able to
come along and insert any values I like into your database. I can't believe
the JDBC classes don't provide
1. Some way to escape value strings
2. Some form of placeholders to deal with this
-- Richard Huxton
В списке pgsql-sql по дате отправления: