Re: Prepared Statements

In these cases, I just set a single question mark in the query... then I use setObject(index, parameters, Types.NUMERIC)
In the "parameters" variable I pass the values concatenated, like:

PreparedStatement prep = conn.preparePreparedStatement("SELECT * FROM foo WHERE bar IN (?)");
prep.setObject(1, "1, 2, 3", Types.NUMERIC);

The problem about this technique is that I can't use driver's scaping of Strings... I just hope this keeps working in future versions of the driver :-)
There is a way that I can cann driver's scaping methods? Would be nice if they were public.

On 18 Jul 2003 17:32:34 +0200
Csaba Nagy <nagy(at)ecircle-ag(dot)com> wrote:

> >
> > Well, I guess the bug will have be fixed asap as it is a security risk.
> >
> > What is the proper JDBC way for filling IN lists in prepared statements?
> >
>
> I'm no JDBC expert, but the way we do it: create a prepared statement
> with 100 (or whatever the max nr. of accepted params is) parameter
> placeholders, and set the ones which are actually needed to their
> parameter values, and set the rest to null.
> The nulls will be finally ignored by the database.
> Not the best solution, but it works just fine for us.
>
> Cheers,
> Csaba.
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org

--

/~\ The ASCII Felipe Schnack (felipes(at)ritterdosreis(dot)br)
\ / Ribbon Campaign Analista de Sistemas
X Against HTML Cel.: 51-91287530
/ \ Email! Linux Counter #281893

Centro Universitário Ritter dos Reis
http://www.ritterdosreis.br
ritter(at)ritterdosreis(dot)br
Fone: 51-32303341