Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.databases > #200
| From | "Lew" <lew@THRWHITE.remove-dii-this> |
|---|---|
| Subject | Re: colon questions |
| Message-ID | <oJudncKbAtO1S_fVnZ2dnUVZ_jGdnZ2d@comcast.com> (permalink) |
| Newsgroups | comp.lang.java.databases |
| References | <486ab61c$0$90276$14726298@news.sunsite.dk> |
| Date | 2011-04-27 15:22 +0000 |
| Organization | TDS.net |
To: comp.lang.java.databases Lew wrote: >>> String var1 = "Dianne''s horse"; >>> String cmd = "UPDATE huxtable (descrip) VALUES ( '" + var1 + "' )"; >>> // DO NOT EVER DO SQL IN THIS MANNER! >>> // IT IS A SECURITY HOLE BIG ENOUGH TO COAST A TRUCK THROUGH! >>> // USE PreparedStatement! Arne Vajh|+j wrote: > Besides the SQL looks very non standard. The standard is: > > INSERT INTO tbl VALUES(val); > INSERT INTO tbl(fld) VALUES(val); > UPDATE tbl SET fld=val; > UPDATE tbl SET fld=val WHERE id=otherval; Actually, it's wrong, not non-standard. I mistakenly didn't check it. Not that mattered for my points, which were mostly about Java. My advice not to do SQL that way is also valid, for valid SQL, despite the fact that my SQL was not valid. So whichever of the INSERT INTO (which is what I *meant* to write) or UPDATE commands one uses, one should not inject Strings directly into the statement but use PreparedStatement instead. -- Lew --- * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet! --- Synchronet 3.15a-Win32 NewsLink 1.92 Time Warp of the Future BBS - telnet://time.synchro.net:24
Back to comp.lang.java.databases | Previous | Next — Next in thread | Find similar
Re: colon questions "Lew" <lew@THRWHITE.remove-dii-this> - 2011-04-27 15:22 +0000 Re: colon questions "=?UTF-8?B?QXJuZSBWYWpow7h" <=?utf-8?b?qxjuzsbwywpow7h@THRWHITE.remove-dii-this> - 2011-04-27 15:22 +0000
csiph-web