| From: | Kim Ho <kho(at)redhat(dot)com> |
|---|---|
| To: | wsheldah(at)lexmark(dot)com |
| Cc: | Barry Lind <blind(at)xythos(dot)com>, Dave Cramer <Dave(at)micro-automation(dot)net>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-18 16:03:20 |
| Message-ID: | 1058544200.19657.119.camel@topanga.toronto.redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Hi,
String fields are escaped (I believe this would cover CHAR, VARCHAR,
etc)
I added the single quotes when binding numbers in my patch for
registerOutParameter and that one is going to be reviewed by Dave.
Cheers,
Kim
On Fri, 2003-07-18 at 11:10, wsheldah(at)lexmark(dot)com wrote:
>
> If it only skips the escaping for numeric types, the obvious workaround
> would be first put the user's entry into an int variable:
>
> int userId = getUserId();
> PreparedStatement s = c.prepareStatement ("select * from user where id
> = ?");
> s.setObject(1, userId, Types.INTEGER);
>
> That way you use java's built-in type checking to avoid sending non-numeric
> data to the backend any time you're specifying a numeric type that will
> skip the escaping.
>
> Can someone confirm that it at least does do the escaping for
> string/varchar inputs?
>
> Wes Sheldahl
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Barry Lind | 2003-07-18 16:04:17 | Re: Prepared Statements |
| Previous Message | Csaba Nagy | 2003-07-18 15:49:20 | Re: Prepared Statements |