Re: How does postgres handle non literal string values - Mailing list pgsql-sql
| From | Charles H. Woloszynski |
|---|---|
| Subject | Re: How does postgres handle non literal string values |
| Date | |
| Msg-id | 3DEDFC62.6060703@clearmetrix.com Whole thread Raw |
| In response to | Re: How does postgres handle non literal string values (Vernon Wu <vernonw@gatewaytech.com>) |
| Responses |
Re: How does postgres handle non literal string values
|
| List | pgsql-sql |
Vernon: Agreed. We use Struts (as our MVC framework), and then a data access layer (we call persistables) that uses the PreparedStatements. Our JSPs only get data to render *after* the business logic has decided that all logic has been performed successfully. The end-result is easily compartmentalized code (lots of code factoring) that makes for very robust applications. We are working on moving this framework to PostgreSQL (from Oracle) and we expect to have to touch the SQL statements (which are each in their own class, again for re-use) and perhaps two or three other classes to deal with any JDBC driver issues. When we make the transition successfully, I hopeto be able to publicize the work and the value of PostgreSQL. Charlie Vernon Wu wrote: >In general, it isn't a good idea to have SQL statements in JSP files. A good practise is using Mode 2. The Struts is a >popular Mode 2 framework. If your application is very small and it won't grow into a big one, you can get around using >Mode 1. In the situation, the SQL tags of JSTL will be a recommeded mechanism. > >11/26/2002 8:05:27 AM, "Charles H. Woloszynski" <chw@clearmetrix.com> wrote: > > > >>Actually, we use JDBC Prepared Statements for this type of work. You >>put a query with '?' in as placeholders and then add in the values and >>the library takes care of the encoding issues. This avoids the double >>encoding of (encode X as String, decode string and encode as SQL X on >>the line). There was a good article about a framework that did this in >>JavaReport about a 18 months ago. >> >>We have gleaned some ideas from that article to create a framework >>around using PreparedStatements as the primary interface to the >>database. I'd suggest looking at them. They really make your code much >>more robust. >> >>Charlie >> >> >> >> >>>"')..." >>> >>>You *will* want to escape the username and password otherwise I'll be able to >>>come along and insert any values I like into your database. I can't believe >>>the JDBC classes don't provide >>> >>>1. Some way to escape value strings >>>2. Some form of placeholders to deal with this >>> >>> >>> >>> >>> >>-- >> >> >>Charles H. Woloszynski >> >>ClearMetrix, Inc. >>115 Research Drive >>Bethlehem, PA 18015 >> >>tel: 610-419-2210 x400 >>fax: 240-371-3256 >>web: www.clearmetrix.com >> >> >> >> >> >>---------------------------(end of broadcast)--------------------------- >>TIP 5: Have you checked our extensive FAQ? >> >>http://www.postgresql.org/users-lounge/docs/faq.html >> >> >> > > > > >---------------------------(end of broadcast)--------------------------- >TIP 6: Have you searched our list archives? > >http://archives.postgresql.org > > -- Charles H. Woloszynski ClearMetrix, Inc. 115 Research Drive Bethlehem, PA 18015 tel: 610-419-2210 x400 fax: 240-371-3256 web: www.clearmetrix.com