![]() Imagine what happens if you get the value ') DROP SCHEMA public - from a malicious user. You cannot use them for the purpose you explain here, because they're server-side functions. USING, which is the parameterised version, because it's safer and easier. These days quote_literal is mostly obsoleted by EXECUTE. ![]() There are built-in quoting functions quote_literal and quote_ident in PostgreSQL, but they are for PL/PgSQL functions that use EXECUTE. That's partly because it might make it seem like a good idea. There is no public function in PgJDBC for string quoting and escaping. You say you don't want to use parameterised statements, but you don't explain why, and frankly it has to be a very good reason not to use them because they're the simplest, safest way to fix the problem you are trying to solve. 1234,1,'A',false,'Some text 'some more, text' some more text'. The specification states that you need to escape the double quote (use double double quotes for double quotes) inside a field. For Java, use PreparedStatement with placeholders. If I understand the case in question you have double quotes and commas inside fields in the file. You should be using parameterized statements. This is so many worlds of bad, because your question implies that you probably have gaping SQL injection holes in your application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |