On Monday 25 Nov 2002 12:57 pm, javaholic wrote:
> Hi All,
>
> I have some jsp code that should insert a user name and password into
> a table called login.
>
> Instead of inserting the values given by the client, it insert the
> literal string 'username' and 'password. The problem is somewhere in
> the INSERT statement.
> String insertString =
> "INSERT INTO \"login\" (\'user\', \'password\')
> VALUES ('username', 'password')";
You're creating an insertString with the literal words "username" and
"password" in them. This is a java issue, not a PG issue. You'll want
something like (sorry if syntax is wrong, but I don't do Java):
String insertString = "Insert INTO ... VALUES ('" + sql_escaped(username) +
"')..."
You *will* want to escape the username and password otherwise I'll be able to
come along and insert any values I like into your database. I can't believe
the JDBC classes don't provide
1. Some way to escape value strings
2. Some form of placeholders to deal with this
-- Richard Huxton
