Home > mailing lists

Re: secure sql-statments - Mailing list pgsql-jdbc

From	Barry Lind
Subject	Re: secure sql-statments
Date	November 14, 2001 18:20:29
Msg-id	3BF2CEDD.7070803@xythos.com Whole thread Raw
In response to	secure sql-statments (list@meinsenf.at)
List	pgsql-jdbc

Tree view

Michi,

You should use PreparedStatements and you won't need to worry about
doing anything, as the driver will take care of all the work for you.

thanks,
--Barry

list@meinsenf.at wrote:

>
> hi,
> I want to make my web-app secure against evil sql-statments!
>
> my sql-strings look like:
>
> updateString = "update table_1 set col_1 = '" + postParam_1 + "'";
> selectString = "select col_1 from table_1 where col_1 like '" + postParam + "'";
> generalSelectString = postParam;
>
> what characters do I have to quote, so that the client can't submit evil sql-statments?
>
> ok: 2 characters i must quote: "'" -> "\'" and "\" -> "\\"
> what characters do I need to quote else???
> perhaps ";" -> "\;"
>
> thanks
> michi
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
>

pgsql-jdbc by date:

From: list@meinsenf.at
Date: 14 November 2001, 13:30:15
Subject: Re : Re: secure sql-statments

From: "Chad R. Larson"
Date: 14 November 2001, 18:40:15
Subject: Re: [ADMIN] PostgreSQL->JDBC->Tomcat->Apache resource uses

Re: secure sql-statments - Mailing list pgsql-jdbc

Previous

Next