Re: secure sql-statments - Mailing list pgsql-jdbc

From Michael Stephenson
Subject Re: secure sql-statments
Date
Msg-id Pine.LNX.4.30.0111141235260.593-100000@tirin.openworld.co.uk
Whole thread Raw
In response to secure sql-statments  (list@meinsenf.at)
List pgsql-jdbc
> what characters do I have to quote, so that the client can't submit
> evil sql-statments?

I believe the only characters you need to escape for postgres are '\\'
and '\'', but it is easier to rely on the jdbc driver to do it for you
by using a prepared statement (assuming your using java 2):

PreparedStatement updateStatement = connection.prepareStatement
    ("update table_1 set col_1 = ?");
p.setString(1, postParam_1);

Doing it this way means there is less to worry about if you ever change
database backends (they might need differing characters escaped), and
the code has already had extensive testing.

Michael

Web Applications Developer
Open World Ltd, The Old Malthouse, Clarence Street, Bath, BA1 5NS.
Tel: +44 1225 444950                           Fax: +44 1225 336738
http://www.openworld.org/


pgsql-jdbc by date:

Previous
From: list@meinsenf.at
Date:
Subject: secure sql-statments
Next
From: list@meinsenf.at
Date:
Subject: Re : Re: secure sql-statments