Re: Prepared Statement Issues.

Поиск
Список
Период
Сортировка
От Oliver Jowett
Тема Re: Prepared Statement Issues.
Дата
Msg-id 20031025013152.GA8352@opencloud.com
обсуждение исходный текст
Ответ на Prepared Statement Issues.  (Greg Johnson <gregj@interprose.com>)
Ответы Cursor based statements  (Dave Cramer <Dave@micro-automation.net>)
Список pgsql-jdbc
On Thu, Oct 23, 2003 at 08:33:50AM -0700, Greg Johnson wrote:
> I recently have been trying to update to the 113 build of jdbc drivers,
> but I am having some problems. I have several prepared statements where
> I pass in order by column and the order of the sort.
>
> select id, name, address, state from people order by (?) (?)
>
> However, with the 113 build I cant seem to set the column name to order
> by or the sort direction anymore. With the 112 build I just set the SQL
> type to INTEGER and it passed through.  I also used the same "hack" to
> pass an array of values to IN statements.
>
> select id, name, address, state from people where id in (?);
>
> What java sql type do I need to use for these types of queries?

You can't use ? placeholders to embed things that aren't actually single
data values in queries any longer. This came out of fixing a SQL injection
hole that appears if the driver allows parameters to make it into the query
unescaped. There was quite a bit of discussion at the time about how to fix
the injection hole while supporting existing apps, but unfortunately noone
could find an acceptable way of doing it.

To get the same effect with recent drivers, you'll have to construct the
expanded query string yourself. You can still use ?-placeholders for real
data values, obviously.

-O

В списке pgsql-jdbc по дате отправления:

Предыдущее
От: "Jordan S. Jones"
Дата:
Сообщение: Re: Unable to run Applets with appletviewer
Следующее
От: Dave Cramer
Дата:
Сообщение: Cursor based statements