db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Scott" <deni...@gmail.com>
Subject Re: Date - Timestamp format for inserts?
Date Mon, 20 Nov 2006 04:29:35 GMT
On 19/11/06, Daniel Noll <daniel@nuix.com> wrote:
> Marl Atkins wrote:
> > What's wrong with this statement?
> > INSERT INTO users
> > (RecordID,CTMCClientID,OrgName,Prefix,FName,MidInit,LName,Addr1,Addr2,City,S
> > tate,Zip,Phone,CellPhone,AltPhone,Fax,Email,Login,Password,Status,AccessLeve
> > lID,DateCreated,CreatedBy,DateExpired ) VALUES(1,NULL,'SoftLink Systems,
> > Inc.',NULL,'Marl',NULL,'Atkins',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
> > ,NULL,'marl','marl',0,1,'2006-09-10-00',1,'2050-01-01-00' )
>
> Is there any particular reason you're not doing this the normal way?
>
> (i.e. using ? and then setTimestamp(int,Timestamp))

The original poster didn't mention which language was being used to
access Derby. Yes, it's 99% likely that it was Java, but Derby does
give people the ability to connect via OCBC, PHP, Perl, Python, etc...
so a workaround in one specific language doesn't apply to all of those
other languages. That being said, all of the official Derby docs speak
JDBC only, so I should probably hold my tongue.

But I do have to point out that saying "the normal way" isn't enough.
You have to realize that people are coming to Derby from all kinds of
different database backgrounds. For example, until recently it was
common MySQL programming practice to simply interpolate language-level
variables into SQL statements because MySQL lacked the ability to bind
columns against parameter markers.

 In this case, you're really suggesting that the poster use a prepared
SQL statement that contains one or more parameter markers (the ?
symbol) that are bound against input variable(s). There's a general
description of prepared statements at
http://db.apache.org/derby/docs/dev/tuning/ctunperf18705.html, which
doesn't mention one other major benefit of prepared statements -- they
provide a fairly effective defence against SQL injection attacks.

Dan

Mime
View raw message