Tobias Thierer wrote:
> Kris Jurka wrote:
>
>>> 1.) Is there a built-in method somewhere in the jdbc driver that
>>> escapes
>>> strings and makes them safe to use in an SQL statement (inside a
>>> string)?
>>
>>
>> There is org.postgresql.core.Utils#appendEscapedString, but it's not
>> something we support or advertise. It's really for internal use only.
>
>
> I dislike that this method expects me to tell it whether i have
> standard_conforming_strings set - this kinda defeats the "write once,
> run everywhere" principle.
If you want something portable just use PreparedStatement.setString()
and parameter placeholders. The "preparation" overhead you are worrying
about is not really an issue as the PreparedStatement implementation is
designed to handle one-shot queries as well as reused queries
efficiently .. since PreparedStatement is often used just for parameter
value interpolation to avoid exactly the issues you are encountering.
-O