Re: How to implement a dynamic string into a sql statement? - Mailing list pgsql-jdbc

From David G Johnston
Subject Re: How to implement a dynamic string into a sql statement?
Date
Msg-id 1409078252506-5816363.post@n5.nabble.com
Whole thread Raw
In response to How to implement a dynamic string into a sql statement?  (howalt <howaltwil@web.de>)
List pgsql-jdbc
howalt wrote
> So, it seems that PSQL has problems with the ? in the prepared
> statement. Does anyone know a solution for this problem?

The most secure way to handle this would be to create a custom pl/pgsql
function and build the dynamic sql string in there and execute it.  You can
then make use of the "quote_ident" function to help make sure that the sql
you are creating is valid and resistant to injection.


> I also tried using normale statement, but this is giving me a findbug
> error that I try to pass a nonconstant string to an execute method on an
> sql statement. So I really dont know how to get rid of this problem

I have no clue what a "findbug error" is.  I presume it is warning you about
sql injection risks.  In which case you will have to override the error
since the only way to do what you want, directly in Java, is to risk sql
injection.  Thus you have to be especially careful to validate the user
input.

Again, you can offload that responsibility to PostgreSQL itself by simply
passing the variables, as values, into a function on the server and let that
function convert them into identifiers.

David J.




--
View this message in context:
http://postgresql.1045698.n5.nabble.com/How-to-implement-a-dynamic-string-into-a-sql-statement-tp5816355p5816363.html
Sent from the PostgreSQL - jdbc mailing list archive at Nabble.com.


pgsql-jdbc by date:

Previous
From: David G Johnston
Date:
Subject: Re: How to implement a dynamic string into a sql statement?
Next
From: JasmineLiu
Date:
Subject: Re: invalid byte sequence for encoding "UTF8": 0x00