Re: Prepared Statements - Mailing list pgsql-jdbc

From Felipe Schnack
Subject Re: Prepared Statements
Date
Msg-id 20030718151623.3e317654.felipes@ritterdosreis.br
Whole thread Raw
In response to Re: Prepared Statements  (Dmitry Tkach <dmitry@openratings.com>)
List pgsql-jdbc
I just can't understand why a call to setObject(1, someString, Types.NUMERIC) would scape the contents of my
"someString"variable, as I specified that it's a number 

On Fri, 18 Jul 2003 13:53:39 -0400
Dmitry Tkach <dmitry@openratings.com> wrote:

> Kim Ho wrote:
>
> >Can't you instead use setString(1, "x'a'")?
> >
> Nope - that will get converted into ... where id='x\'a\'' - that won't
> be understood by the backend - it wants it *exactly* that way - x
> outside the quotes, followed by a quoted hexademical number...
>
> >
> >If not, this also brings up another thing. Did you want to treat "x'a'"
> >as a number now?
> >
> Yes, I did (and still do) :-)
>
> >
> >In any case, here is a revised version of the patch. =) Thanks for the
> >pointers.
> >
> I must be missing something, but I don't see any difference with the
> previous version ....
>
> >
> >Also, the remove radix thing is not meant for preventing SQL injection.
> >It is meant for this like:
> >
> >create function integer_in(integer) ....
> >
> >and then using things like select integer_in(1.11231E9)
> >
> I understand that. I was just saying that adding quotes around the input
> doesn't help much in preventing injections, but does take away valuable
> functionality...
>
> Dima
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
>                http://www.postgresql.org/docs/faqs/FAQ.html


--

 /~\ The ASCII        Felipe Schnack (felipes@ritterdosreis.br)
 \ / Ribbon Campaign  Analista de Sistemas
  X  Against HTML     Cel.: 51-91287530
 / \ Email!           Linux Counter #281893

Centro Universitário Ritter dos Reis
http://www.ritterdosreis.br
ritter@ritterdosreis.br
Fone: 51-32303341

pgsql-jdbc by date:

Previous
From: Kim Ho
Date:
Subject: Re: Prepared Statements
Next
From: Dmitry Tkach
Date:
Subject: Re: Prepared Statements