Home > mailing lists

Re: How does postgres handle non literal string values - Mailing list pgsql-general

From	Doug McNaught
Subject	Re: How does postgres handle non literal string values
Date	November 27, 2002 10:30:54
Msg-id	m3fztndog4.fsf@varsoon.wireboard.com Whole thread Raw
In response to	How does postgres handle non literal string values (monroy@mindspring.com (javaholic))
List	pgsql-general

Tree view

monroy@mindspring.com (javaholic) writes:

>                         String insertString =
>                         "INSERT INTO  \"login\" ('user', 'password')
> VALUES ('username', 'password')";

First, your SQL syntax is wrong (field names in an INSERT shouldn't be
quoted), and second, Java isn't Perl--it won't magically interpolate
variable values into a string.  Try:

String insertString =
 "INSERT INTO  \"login\" (user, password) VALUES ('" + username
 + "', '" + password + "')";

This will work but has a gaping security hole.  Even better, use a
PreparedStatement instead--it's much cleaner and is immune to SQL
injection attacks.

-Doug

pgsql-general by date:

From: Jean-Christian Imbeault
Date: 27 November 2002, 10:21:43
Subject: Re: 7.3RC1 ?? Re: PostgreSQL compilation with custom table

From: Ken Guest
Date: 27 November 2002, 10:48:39
Subject: [Fwd: rename]

Re: How does postgres handle non literal string values - Mailing list pgsql-general

Previous

Next