Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.databases > #200 > unrolled thread
| Started by | "Lew" <lew@THRWHITE.remove-dii-this> |
|---|---|
| First post | 2011-04-27 15:22 +0000 |
| Last post | 2011-04-27 15:22 +0000 |
| Articles | 2 — 2 participants |
Back to article view | Back to comp.lang.java.databases
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: colon questions "Lew" <lew@THRWHITE.remove-dii-this> - 2011-04-27 15:22 +0000
Re: colon questions "=?UTF-8?B?QXJuZSBWYWpow7h" <=?utf-8?b?qxjuzsbwywpow7h@THRWHITE.remove-dii-this> - 2011-04-27 15:22 +0000
| From | "Lew" <lew@THRWHITE.remove-dii-this> |
|---|---|
| Date | 2011-04-27 15:22 +0000 |
| Subject | Re: colon questions |
| Message-ID | <oJudncKbAtO1S_fVnZ2dnUVZ_jGdnZ2d@comcast.com> |
To: comp.lang.java.databases Lew wrote: >>> String var1 = "Dianne''s horse"; >>> String cmd = "UPDATE huxtable (descrip) VALUES ( '" + var1 + "' )"; >>> // DO NOT EVER DO SQL IN THIS MANNER! >>> // IT IS A SECURITY HOLE BIG ENOUGH TO COAST A TRUCK THROUGH! >>> // USE PreparedStatement! Arne Vajh|+j wrote: > Besides the SQL looks very non standard. The standard is: > > INSERT INTO tbl VALUES(val); > INSERT INTO tbl(fld) VALUES(val); > UPDATE tbl SET fld=val; > UPDATE tbl SET fld=val WHERE id=otherval; Actually, it's wrong, not non-standard. I mistakenly didn't check it. Not that mattered for my points, which were mostly about Java. My advice not to do SQL that way is also valid, for valid SQL, despite the fact that my SQL was not valid. So whichever of the INSERT INTO (which is what I *meant* to write) or UPDATE commands one uses, one should not inject Strings directly into the statement but use PreparedStatement instead. -- Lew --- * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet! --- Synchronet 3.15a-Win32 NewsLink 1.92 Time Warp of the Future BBS - telnet://time.synchro.net:24
[toc] | [next] | [standalone]
| From | "=?UTF-8?B?QXJuZSBWYWpow7h" <=?utf-8?b?qxjuzsbwywpow7h@THRWHITE.remove-dii-this> |
|---|---|
| Date | 2011-04-27 15:22 +0000 |
| Message-ID | <486d34e3$0$90262$14726298@news.sunsite.dk> |
| In reply to | #200 |
To: comp.lang.java.databases Lew wrote: > Lew wrote: >>>> String var1 = "Dianne''s horse"; >>>> String cmd = "UPDATE huxtable (descrip) VALUES ( '" + var1 + "' )"; >>>> // DO NOT EVER DO SQL IN THIS MANNER! >>>> // IT IS A SECURITY HOLE BIG ENOUGH TO COAST A TRUCK THROUGH! >>>> // USE PreparedStatement! > > Arne Vajh|+j wrote: >> Besides the SQL looks very non standard. The standard is: >> >> INSERT INTO tbl VALUES(val); >> INSERT INTO tbl(fld) VALUES(val); >> UPDATE tbl SET fld=val; >> UPDATE tbl SET fld=val WHERE id=otherval; > > Actually, it's wrong, not non-standard. There is a 99.99% chance that it is wrong. But since the original poster did not say what database he was using, then I preferred just calling it "non standard" - some databases has some weird syntaxes. Arne --- * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet! --- Synchronet 3.15a-Win32 NewsLink 1.92 Time Warp of the Future BBS - telnet://time.synchro.net:24
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.java.databases
csiph-web