* "George Koras" <gkoras@cres.gr> wrote:
| So I guess a solution would be to escape *quotes* and not *semicolons out of
| quotes*, which is the solution I use in my programs and on which comments
| are invited . This also prevents the malicious use Arsanal is talking about,
| doesn't it?
|
| However the PreparedStatement solution (which I haven't tried) seems to be
| more elegant.
|
PreparedStatement is the right solution for this. If you don't trust
your input SQL either use that or do custom escaping on before sending
the SQL to the driver.
I wouldn't like to add another performance bottleneck, especially when it is
not mandated by the spec. The JDBC driver for Sybase works the same way.
regards,
Gunnar
--
Gunnar Rønning - gunnar@polygnosis.com
Senior Consultant, Polygnosis AS, http://www.polygnosis.com/