Actually, we use JDBC Prepared Statements for this type of work. You
put a query with '?' in as placeholders and then add in the values and
the library takes care of the encoding issues. This avoids the double
encoding of (encode X as String, decode string and encode as SQL X on
the line). There was a good article about a framework that did this in
JavaReport about a 18 months ago.
We have gleaned some ideas from that article to create a framework
around using PreparedStatements as the primary interface to the
database. I'd suggest looking at them. They really make your code much
more robust.
Charlie
>"')..."
>
>You *will* want to escape the username and password otherwise I'll be able to
>come along and insert any values I like into your database. I can't believe
>the JDBC classes don't provide
>
>1. Some way to escape value strings
>2. Some form of placeholders to deal with this
>
>
>
--
Charles H. Woloszynski
ClearMetrix, Inc.
115 Research Drive
Bethlehem, PA 18015
tel: 610-419-2210 x400
fax: 240-371-3256
web: www.clearmetrix.com
