You are viewing a plain text version of this content. The canonical link for it is here.
Posted to taglibs-dev@jakarta.apache.org by Glenn Nielsen <gl...@voyager.apg.more.net> on 2001/03/20 15:41:23 UTC
[BUG] JDBC Taglib Bug?
JDBC Taglib bug report:
>The JDBC taglib appears to have a bug. The example web application is throwing an
>SQLException--it appears to not escape a string properly. For more information,
>read my bug report on Jakarta's Bugzilla:
>http://nagoya.betaversion.org/bugzilla/show_bug.cgi?id=1032
Re: [BUG] JDBC Taglib Bug?
Posted by Marius Scurtescu <ma...@multiactive.com>.
The following article may help:
http://www.jguru.com/faq/view.jsp?EID=8881
It looks like you can you pretty much any character
as an escape character as long as you state this
using an escape clause.
Since the escape clause must be at the end of the
query (I am not sure about this though), probably
the "query" tag should be the one inserting it.
Following the same logic this very same tag
should have an optional attribute to specify the
escape character. The default should be the single
quote I guess.
The "escapeSQL" tag should retrieve the escape
character from the enclosing "query" tag.
I am not sure if the escape cluase should be always
added at the end. One approach could be to add
it only if there are "escapeSQL" subtags. But then
people may hard code some escape sequences.
Probably the safest thing is to always add it.
Marius
Morgan Delagrange wrote:
>
> Hmm, yuck. The ANSI standard is (I think) single
> quotes, but most SQL parsers support both. It looks
> like the InstantDB parser doesn't. Well, we can
> probably work around this. How about we leave single
> quotes as the default, but add an escapeChar attribute
> which can be assigned to " for the ANSI-impaired?
> I can put both single and double quote escaping
> inside the example JSP and wrap them both in a try
> block.
>
> What I would prefer to do is autodetect the default
> quote escape character for strings and use that,
> rather than requiring an explicit attribute. However
> I don't see how to do that in JDBC. You would think
> that there should be an ESCAPE_CHAR constant inside
> the Statement class, but I don't see one there or
> anywhere else. The only thing I can find that looks
> promising is this:
>
> DatabaseMetaData.getIdentifierQuoteString()
>
> but the description is vague:
>
> What's the string used to quote SQL
> identifiers? This returns a space " " if
> identifier quoting isn't supported. A
> JDBC CompliantTM driver always uses a
> double quote character.
>
> What is a "SQL identifier"? It appears to be the
> column names and not the value to be assigned. It's
> weird, there is a method for finding the wildcard
> escape character(s)
> (DatabaseMetaData.getSearchStringEscape()), but I
> don't see one for escaping quotes in a string.
>
> - Morgan
>
> --- Glenn Nielsen <gl...@voyager.apg.more.net> wrote:
> > JDBC Taglib bug report:
> >
> > >The JDBC taglib appears to have a bug. The example
> > web application is throwing an
> > >SQLException--it appears to not escape a string
> > properly. For more information,
> > >read my bug report on Jakarta's Bugzilla:
> >
> >
> >http://nagoya.betaversion.org/bugzilla/show_bug.cgi?id=1032
>
> =====
> Morgan Delagrange
> Britannica.com
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
--
------------------
Marius Scurtescu, Software Engineer
Tel: (604) 899-2835 Fax: (604) 899-2899
mailto:marius@multiactive.com
Multiactive Software Inc. http://www.multiactive.com
------------------
Attract and retain customers with Multiactive Software --
proud winners of PC WEEK's "Best of COMDEX" award.
------------------
Re: [BUG] JDBC Taglib Bug?
Posted by Morgan Delagrange <md...@yahoo.com>.
Hmm, yuck. The ANSI standard is (I think) single
quotes, but most SQL parsers support both. It looks
like the InstantDB parser doesn't. Well, we can
probably work around this. How about we leave single
quotes as the default, but add an escapeChar attribute
which can be assigned to " for the ANSI-impaired?
I can put both single and double quote escaping
inside the example JSP and wrap them both in a try
block.
What I would prefer to do is autodetect the default
quote escape character for strings and use that,
rather than requiring an explicit attribute. However
I don't see how to do that in JDBC. You would think
that there should be an ESCAPE_CHAR constant inside
the Statement class, but I don't see one there or
anywhere else. The only thing I can find that looks
promising is this:
DatabaseMetaData.getIdentifierQuoteString()
but the description is vague:
What's the string used to quote SQL
identifiers? This returns a space " " if
identifier quoting isn't supported. A
JDBC CompliantTM driver always uses a
double quote character.
What is a "SQL identifier"? It appears to be the
column names and not the value to be assigned. It's
weird, there is a method for finding the wildcard
escape character(s)
(DatabaseMetaData.getSearchStringEscape()), but I
don't see one for escaping quotes in a string.
- Morgan
--- Glenn Nielsen <gl...@voyager.apg.more.net> wrote:
> JDBC Taglib bug report:
>
> >The JDBC taglib appears to have a bug. The example
> web application is throwing an
> >SQLException--it appears to not escape a string
> properly. For more information,
> >read my bug report on Jakarta's Bugzilla:
>
>
>http://nagoya.betaversion.org/bugzilla/show_bug.cgi?id=1032
=====
Morgan Delagrange
Britannica.com
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/