Mailing-List: contact taglibs-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tag Libraries Developers List" <taglibs-dev@jakarta.apache.org>
Date: Sat, 25 May 2002 11:28:16 -0400 (EDT)
From: Shawn Bayern <bayern@essentially.net>
To: Tag Libraries Developers List <taglibs-dev@jakarta.apache.org>,
   steve.olson@ait-inc.com
Subject: RE: Startard Taglib- SQL bind variables
In-Reply-To: <005c01c202ad$0f64feb0$6e00a8c0@epic.aitinc.com>
Message-ID: <Pine.LNX.4.21.0205251121240.16931-100000@precision>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Thu, 23 May 2002, Steve A. Olson wrote:

> Right, to avoid that danger the SQL statement must be pre-processed to
> substitute any scripting variables into actual SQL bind variables
> using a preparedStatement.  This avoids the SQL syntax errors when
> variables are null or have no value. Perhaps using :variables would
> avoid the EL parsing.

Hi Steve --

Thanks for the suggestion, but it's too late to change how JSTL 1.0 will
work.  I personally once considered a variation on this model, using
<sql:param> inline in a query instead of relying on PreparedStatement-syle
placeholders, as:

  <sql:update>
    UPDATE tablename
    SET foo = <sql:param value="${bar}"/>
    WHERE foo = <sql:param value="${oldBar}"/>
  </sql:update>

Ultimately, relying on the JDBC-standard mechanism should take better
advantage of existing mindshare and might even interoperate better.  (I
know of environments where ?-escaped queries are stored in property
sheets, for instance.)

But still, it's not a bad thought.  I suggest mailing

	jsr-52-comments@jcp.org

to make sure it's on a list for items to consider after JSTL 1.0.

Thanks again for the suggestion!

-- 
Shawn Bayern
"JSP Standard Tag Library"   http://www.jstlbook.com
(coming in July 2002 from Manning Publications)


--
To unsubscribe, e-mail:   <mailto:taglibs-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:taglibs-dev-help@jakarta.apache.org>