cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Ball <>
Subject Re: How to escape parameters used in SQL?
Date Thu, 12 Oct 2000 05:48:26 GMT
On Wed, 11 Oct 2000, Matthew Cordes wrote:

> In my database (Oracle) you can escape a single quote ( ' ) with another
> single quote, thus
>     SELECT * FROM names where last_name = 'O'' Donnell'
> should work, but a better solution is prepared statements.  It isn't
> too hard to rework the sql taglib to add support for a setString( int,
> String) tag to do the same thing as the PreparedStatement's method of
> the same name.
> I think I over heard someone saying prepared statements were on the
> todo list for the esql, so maybe someday soon that will be another
> option.

it's there already in cvs. try it:

<esql:statement>select * from department_table where name =
<esql:parameter><request:get-parameter name="name"/></esql:parameter>

defaults to string but you can make it be anything you want by adding a
type attribute (e.g. type="int"). i think anyway. i have received _no_
feedback since initially adding this, so speak up if you want a say in the
syntax or features.

- donald

View raw message