logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Sandee <tbsan...@pobox.com>
Subject Re: Log4j JDBCAppender
Date Thu, 06 Jun 2002 19:32:07 GMT
Kevin Steppe wrote:

<snip>

>
> try sending the following into a string column without doing any 
> escaping:
> hello "john" I'm Kevin, we're friends "you and I"
>
> such as: insert into testTable (StringCol) values (hello "john" I'm 
> Kevin, we're friends "you and I")
>
> To make it work you'll need a few backslashes -- plus you'll need 
> quotes at either end of the value which aren't escaped, note that 
> neither double nor single quotes will solve the problem in this corner 
> case. Then write me an algorithm to insert backslashes in the generic 
> case where some quotes don't need an escape such as:
> insert into lt (message) values ('%m')
> -- ie, the quotes shouldn't be escaped, but the whole string once 
> formated will need escapes inside
> Then I'll happily put that algorithm to use!


We're definitely not connecting here, for some reason.  I think we're 
talking about two different scenarios -- but just to make sure....  This 
code works fine on every database server I've ever had to support 
(Oracle***, Sybase ASE and ASA):

Create a file ("testfile.txt") with the following text (verbatim):
hello "john" I'm Kevin, we're friends "you and I"

String stringValue;

BufferedReader br = new BufferedReader(new FileReader(new 
File("testfile.txt")));
try
{
    stringValue = br.readLine();
}
finally
{
    br.close();
}

PreparedStatement st = conn.prepareStatement("INSERT INTO 
TestTable(StringCol) VALUES (?)");
try
{
    st.setString(1, stringValue);
    st.executeUpdate();
}
finally
{
    st.close();
}

Nowhere in there was I forced to escape anything.  I agree with you that 
if you aren't using preparedstatements, constructing an algorithm to 
safely, generically escape arbitrary strings for inclusion directly into 
a SQL is a non-trivial, possibly impossible task.  It's really something 
that *should* be part of the JDBC API.

Ben

*** Note that this was using their server and OCI driver.  Their thin 
driver used to have too many bugs, some of which relate to 
preparedstatement parameter processing, if I remember correctly.


--
To unsubscribe, e-mail:   <mailto:log4j-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:log4j-user-help@jakarta.apache.org>


Mime
View raw message