Re: How does postgres handle non literal string values

Поиск
Список
Период
Сортировка
От Doug McNaught
Тема Re: How does postgres handle non literal string values
Дата
Msg-id m3fztndog4.fsf@varsoon.wireboard.com
обсуждение исходный текст
Ответ на How does postgres handle non literal string values  (monroy@mindspring.com (javaholic))
Список pgsql-general
Дерево обсуждения 
monroy@mindspring.com (javaholic) writes:

>                         String insertString =
>                         "INSERT INTO  \"login\" ('user', 'password')
> VALUES ('username', 'password')";

First, your SQL syntax is wrong (field names in an INSERT shouldn't be
quoted), and second, Java isn't Perl--it won't magically interpolate
variable values into a string.  Try:

String insertString =
 "INSERT INTO  \"login\" (user, password) VALUES ('" + username
 + "', '" + password + "')";

This will work but has a gaping security hole.  Even better, use a
PreparedStatement instead--it's much cleaner and is immune to SQL
injection attacks.

-Doug

В списке pgsql-general по дате отправления:

Предыдущее
От: Jean-Christian Imbeault
Дата:
Сообщение: Re: 7.3RC1 ?? Re: PostgreSQL compilation with custom table
Следующее
От: Ken Guest
Дата:
Сообщение: [Fwd: rename]