Re: Control characters in sql statements close db connection - Mailing list pgsql-jdbc

From Barry Lind
Subject Re: Control characters in sql statements close db connection
Date
Msg-id 3E286C76.6080402@xythos.com
Whole thread Raw
In response to Re: Control characters in sql statements close db connection  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-jdbc

Tom Lane wrote:
> Barry Lind <blind@xythos.com> writes:
>
>>Yes I would say this is expected behavior.  If you use the regular
>>Statement object it is your responsibility to properly quote and escape
>>the data.  However if you use a PreparedStatement then the driver
>>handles it for you.
>
>
>>So you would issue the following via a PreparedStatement:
>>SELECT * FROM NEB_IPSNMPDEVICES WHERE NEB_IPSNMPDevices.PHY_ADDRESS = ?
>>and then do a stmt.setString(1,"'^@`^]:u'");
>
>
> But there is no escape for a \0, except in the limited context of
> BYTEA values.  It'd probably be better for the driver to reject 'em.
>
> Does JDBC understand about BYTEA fields?  If so, it could generate the
> correct escape when filling a parameter for a BYTEA value, and fail
> otherwise.
>

Yes the driver understands bytea fields and deals with them
appropriately.  But there are not currently any checks that prevent
passing \0 in other areas.  The jdbc API uses different methods for
binary data versus textual data and thus there are obvious places to add
such checks.

--Barry



pgsql-jdbc by date:

Previous
From: Tom Lane
Date:
Subject: Re: Control characters in sql statements close db connection
Next
From: Barry Lind
Date:
Subject: Re: insertRow and updateable resultset