You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Chad Johnson <ch...@csoft.net> on 2001/12/10 03:14:22 UTC
Possible addition to StringUtils
Hey,
Just wondering if a method that escapes single and double quotes, and
other potential SQL query breaking characters has been considered for
addition to the StringUtils class? I'd imagine this would be usefull when
using a prepared statement for query construction with insecure data isn't an
option.
-Chad Johnson
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by "Laird J. Nelson" <lj...@alumni.amherst.edu>.
> -----Original Message-----
> From: bayard@generationjava.com [mailto:bayard@generationjava.com]
> I suggest we wait to see your method when you submit it and see if it
> satisifies Chad's requirements. Or at least, see if we can
> change it from
> Writer to String and see if that works :)
Righto; I'm on it. You can dig around in what I've got so far, if you
like; it's the foundry.io.EscapingWriter class in the Foundry project on
SourceForge (http://sourceforge.net/projects/foundry). You'll have to
browse the CVS repository to see what's there; the only file release
I've put up is from March of this year, and doesn't contain some of this
functionality.
Cheers,
Laird
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by ba...@generationjava.com.
> But often you're working with Strings whose content you aren't sure of,
> and you might want to escape both, say, single quotes with a backslash,
> and backslashes with a backslash. Unless I'm being slow, two method
> invocations here will result in undesired behavior.
>
Good point. There is a functionality difference. In which case I'm in
favour of your previously mentioned Map-like API.
I suggest we wait to see your method when you submit it and see if it
satisifies Chad's requirements. Or at least, see if we can change it from
Writer to String and see if that works :)
Bay
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by "Laird J. Nelson" <lj...@alumni.amherst.edu>.
> -----Original Message-----
> From: bayard@generationjava.com [mailto:bayard@generationjava.com]
> I think that's a bit too yucky. Rather than having different escaping
> systems in the same method call, it can easily just be two
> method calls.
But often you're working with Strings whose content you aren't sure of,
and you might want to escape both, say, single quotes with a backslash,
and backslashes with a backslash. Unless I'm being slow, two method
invocations here will result in undesired behavior.
Cheers,
Laird
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by ba...@generationjava.com.
I think that's a bit too yucky. Rather than having different escaping
systems in the same method call, it can easily just be two method calls.
The only thing that worries me is assuming that the escaped character is
always escaped using itself. This is quite a pedantic point though, I
would imagine the more popular method would be an overloaded one that
assumes it's always escaped by itself.
So:
String escapeGeneric(String stringToEscapeIn,
char[] charsToEscape,
char escapingChar,
char escapingEscaping);
and overloads of:
String escapeGeneric(String, char[], char)
String escapeGeneric(String, char, char)
Maybe? :)
On Mon, 10 Dec 2001, Chad Johnson wrote:
> Wouldn't B always be escaped with \ since its java's escaping we're worring
> about at this point?
>
> What if the following was supplied instead (slightly modified):
>
> Character A to be escape. Possibly a list of characters.
> A corresponding Character B to put in front of escaped character A.
>
> A = {"'", "t", 'b'}
> B = {"'","\","\"}
>
> -Chad Johnson
>
> ----- Original Message -----
> From: <ba...@generationjava.com>
> To: "Jakarta Commons Developers List" <co...@jakarta.apache.org>
> Sent: Monday, December 10, 2001 4:01 PM
> Subject: Re: Possible addition to StringUtils
>
>
> > Hmm.
> >
> > So you'd have to supply the following:
> >
> > Character A to be escape. Possibly a list of characters.
> > Character B to put in front of escaped character A.
> > Way in which the escape character B is escaped.
> >
> >
> > so:
> >
> > A = {'n', 't', 'b'}
> > B = {'\'}
> > C = {'\'} ?
> >
> > Bay
> > On Mon, 10 Dec 2001, Chad Johnson wrote:
> >
> > > Hey,
> > > Hmm, I do like this take on the method(s). Instead, of going to great
> > > lengths to make it DB compatible, just lay the ground work that make the
> > > substituting possible. The method itself would work similar to
> replace()
> > > except it would need to check if the character in question is already
> > > escaped.
> > >
> > >
> > > -Chad Johnson
> > >
> > > ----- Original Message -----
> > > From: "Scott Sanders" <ss...@nextance.com>
> > > To: "'Jakarta Commons Developers List'" <co...@jakarta.apache.org>
> > > Sent: Monday, December 10, 2001 2:11 PM
> > > Subject: RE: Possible addition to StringUtils
> > >
> > >
> > > > Would it not be useful to have a generic string escaper, that says for
> > > > character x in a string, escape it with y?
> > > >
> > > > Scott Sanders
> > > >
> > > > > -----Original Message-----
> > > > > From: Jason van Zyl [mailto:jvanzyl@zenplex.com]
> > > > > Sent: Sunday, December 09, 2001 7:09 PM
> > > > > To: Jakarta Commons Developers List
> > > > > Subject: Re: Possible addition to StringUtils
> > > > >
> > > > >
> > > > > On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
> > > > >
> > > > > > Hey,
> > > > > > Just wondering if a method that escapes single and double
> > > > > quotes, and
> > > > > > other potential SQL query breaking characters has been
> > > > > considered for
> > > > > > addition to the StringUtils class?
> > > > >
> > > > > Probably not. I'd say that's a little specific and the
> > > > > quoting schemes are sometimes different for different
> > > > > databases. This type of string manipulation that's database
> > > > > specific should probably be handled in your persistence
> > > > > mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> > > > > the behaviour of a particular database is modeled in an
> > > > > individual class, quoting is handled here.
> > > > >
> > > > > > I'd imagine this would be usefull when
> > > > > > using a prepared statement for query construction with
> > > > > insecure data
> > > > > > isn't an option.
> > > > >
> > > > > You would probably get into the case of looking at the
> > > > > database type and having a bunch of variants of the method to
> > > > > deal with the database. This is handled in Torque but in
> > > > > general I say it should be handled in your persistence mechanism.
> > > > >
> > > > > > -Chad Johnson
> > > > > >
> > > > > >
> > > > > > --
> > > > > > To unsubscribe, e-mail:
> > > > > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > > > > > For
> > > > > additional commands,
> > > > > e-mail:
> > > > > > <ma...@jakarta.apache.org>
> > > > >
> > > > > --
> > > > >
> > > > > jvz.
> > > > >
> > > > > Jason van Zyl
> > > > >
> > > > http://tambora.zenplex.org
> > > > http://jakarta.apache.org/turbine http://jakarta.apache.org/velocity
> > > > http://jakarta.apache.org/alexandria
> > > > http://jakarta.apache.org/commons
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by "Laird J. Nelson" <lj...@alumni.amherst.edu>.
> -----Original Message-----
> From: Chad Johnson [mailto:chadj@netnet.net]
> What if the following was supplied instead (slightly modified):
> Character A to be escape. Possibly a list of characters.
> A corresponding Character B to put in front of escaped character A.
>
> A = {"'", "t", 'b'}
> B = {"'","\","\"}
I have an EscapingWriter class that takes in arguments very much like
this (in spirit, anyway), and I've found it to be quite useful. The
constructor that all other constructors delegate to is this:
public EscapingWriter(Writer writer, Properties charsToEscapeStrings);
I can attach it in another message if there is interest (it's not
strictly speaking a String transformer as it adheres to the Writer
interface and therefore escapes on the fly). I have every intention of
formally offering this stuff up to the commons project once it's a
little more inspection-worthy.
The keys in the Properties objects are Characters, and the values are
Strings. FWIW, in general my taste is for Properties/HashMap-like
arguments instead of twin lists that depend on each other having the
same number of corresponding elements.
Cheers,
Laird
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by Chad Johnson <ch...@netnet.net>.
Wouldn't B always be escaped with \ since its java's escaping we're worring
about at this point?
What if the following was supplied instead (slightly modified):
Character A to be escape. Possibly a list of characters.
A corresponding Character B to put in front of escaped character A.
A = {"'", "t", 'b'}
B = {"'","\","\"}
-Chad Johnson
----- Original Message -----
From: <ba...@generationjava.com>
To: "Jakarta Commons Developers List" <co...@jakarta.apache.org>
Sent: Monday, December 10, 2001 4:01 PM
Subject: Re: Possible addition to StringUtils
> Hmm.
>
> So you'd have to supply the following:
>
> Character A to be escape. Possibly a list of characters.
> Character B to put in front of escaped character A.
> Way in which the escape character B is escaped.
>
>
> so:
>
> A = {'n', 't', 'b'}
> B = {'\'}
> C = {'\'} ?
>
> Bay
> On Mon, 10 Dec 2001, Chad Johnson wrote:
>
> > Hey,
> > Hmm, I do like this take on the method(s). Instead, of going to great
> > lengths to make it DB compatible, just lay the ground work that make the
> > substituting possible. The method itself would work similar to
replace()
> > except it would need to check if the character in question is already
> > escaped.
> >
> >
> > -Chad Johnson
> >
> > ----- Original Message -----
> > From: "Scott Sanders" <ss...@nextance.com>
> > To: "'Jakarta Commons Developers List'" <co...@jakarta.apache.org>
> > Sent: Monday, December 10, 2001 2:11 PM
> > Subject: RE: Possible addition to StringUtils
> >
> >
> > > Would it not be useful to have a generic string escaper, that says for
> > > character x in a string, escape it with y?
> > >
> > > Scott Sanders
> > >
> > > > -----Original Message-----
> > > > From: Jason van Zyl [mailto:jvanzyl@zenplex.com]
> > > > Sent: Sunday, December 09, 2001 7:09 PM
> > > > To: Jakarta Commons Developers List
> > > > Subject: Re: Possible addition to StringUtils
> > > >
> > > >
> > > > On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
> > > >
> > > > > Hey,
> > > > > Just wondering if a method that escapes single and double
> > > > quotes, and
> > > > > other potential SQL query breaking characters has been
> > > > considered for
> > > > > addition to the StringUtils class?
> > > >
> > > > Probably not. I'd say that's a little specific and the
> > > > quoting schemes are sometimes different for different
> > > > databases. This type of string manipulation that's database
> > > > specific should probably be handled in your persistence
> > > > mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> > > > the behaviour of a particular database is modeled in an
> > > > individual class, quoting is handled here.
> > > >
> > > > > I'd imagine this would be usefull when
> > > > > using a prepared statement for query construction with
> > > > insecure data
> > > > > isn't an option.
> > > >
> > > > You would probably get into the case of looking at the
> > > > database type and having a bunch of variants of the method to
> > > > deal with the database. This is handled in Torque but in
> > > > general I say it should be handled in your persistence mechanism.
> > > >
> > > > > -Chad Johnson
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe, e-mail:
> > > > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > > > > For
> > > > additional commands,
> > > > e-mail:
> > > > > <ma...@jakarta.apache.org>
> > > >
> > > > --
> > > >
> > > > jvz.
> > > >
> > > > Jason van Zyl
> > > >
> > > http://tambora.zenplex.org
> > > http://jakarta.apache.org/turbine http://jakarta.apache.org/velocity
> > > http://jakarta.apache.org/alexandria
> > > http://jakarta.apache.org/commons
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> > For additional commands, e-mail:
<ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by ba...@generationjava.com.
Hmm.
So you'd have to supply the following:
Character A to be escape. Possibly a list of characters.
Character B to put in front of escaped character A.
Way in which the escape character B is escaped.
so:
A = {'n', 't', 'b'}
B = {'\'}
C = {'\'} ?
Bay
On Mon, 10 Dec 2001, Chad Johnson wrote:
> Hey,
> Hmm, I do like this take on the method(s). Instead, of going to great
> lengths to make it DB compatible, just lay the ground work that make the
> substituting possible. The method itself would work similar to replace()
> except it would need to check if the character in question is already
> escaped.
>
>
> -Chad Johnson
>
> ----- Original Message -----
> From: "Scott Sanders" <ss...@nextance.com>
> To: "'Jakarta Commons Developers List'" <co...@jakarta.apache.org>
> Sent: Monday, December 10, 2001 2:11 PM
> Subject: RE: Possible addition to StringUtils
>
>
> > Would it not be useful to have a generic string escaper, that says for
> > character x in a string, escape it with y?
> >
> > Scott Sanders
> >
> > > -----Original Message-----
> > > From: Jason van Zyl [mailto:jvanzyl@zenplex.com]
> > > Sent: Sunday, December 09, 2001 7:09 PM
> > > To: Jakarta Commons Developers List
> > > Subject: Re: Possible addition to StringUtils
> > >
> > >
> > > On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
> > >
> > > > Hey,
> > > > Just wondering if a method that escapes single and double
> > > quotes, and
> > > > other potential SQL query breaking characters has been
> > > considered for
> > > > addition to the StringUtils class?
> > >
> > > Probably not. I'd say that's a little specific and the
> > > quoting schemes are sometimes different for different
> > > databases. This type of string manipulation that's database
> > > specific should probably be handled in your persistence
> > > mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> > > the behaviour of a particular database is modeled in an
> > > individual class, quoting is handled here.
> > >
> > > > I'd imagine this would be usefull when
> > > > using a prepared statement for query construction with
> > > insecure data
> > > > isn't an option.
> > >
> > > You would probably get into the case of looking at the
> > > database type and having a bunch of variants of the method to
> > > deal with the database. This is handled in Torque but in
> > > general I say it should be handled in your persistence mechanism.
> > >
> > > > -Chad Johnson
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > > > For
> > > additional commands,
> > > e-mail:
> > > > <ma...@jakarta.apache.org>
> > >
> > > --
> > >
> > > jvz.
> > >
> > > Jason van Zyl
> > >
> > http://tambora.zenplex.org
> > http://jakarta.apache.org/turbine http://jakarta.apache.org/velocity
> > http://jakarta.apache.org/alexandria
> > http://jakarta.apache.org/commons
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by Chad Johnson <ch...@netnet.net>.
Hey,
Hmm, I do like this take on the method(s). Instead, of going to great
lengths to make it DB compatible, just lay the ground work that make the
substituting possible. The method itself would work similar to replace()
except it would need to check if the character in question is already
escaped.
-Chad Johnson
----- Original Message -----
From: "Scott Sanders" <ss...@nextance.com>
To: "'Jakarta Commons Developers List'" <co...@jakarta.apache.org>
Sent: Monday, December 10, 2001 2:11 PM
Subject: RE: Possible addition to StringUtils
> Would it not be useful to have a generic string escaper, that says for
> character x in a string, escape it with y?
>
> Scott Sanders
>
> > -----Original Message-----
> > From: Jason van Zyl [mailto:jvanzyl@zenplex.com]
> > Sent: Sunday, December 09, 2001 7:09 PM
> > To: Jakarta Commons Developers List
> > Subject: Re: Possible addition to StringUtils
> >
> >
> > On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
> >
> > > Hey,
> > > Just wondering if a method that escapes single and double
> > quotes, and
> > > other potential SQL query breaking characters has been
> > considered for
> > > addition to the StringUtils class?
> >
> > Probably not. I'd say that's a little specific and the
> > quoting schemes are sometimes different for different
> > databases. This type of string manipulation that's database
> > specific should probably be handled in your persistence
> > mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> > the behaviour of a particular database is modeled in an
> > individual class, quoting is handled here.
> >
> > > I'd imagine this would be usefull when
> > > using a prepared statement for query construction with
> > insecure data
> > > isn't an option.
> >
> > You would probably get into the case of looking at the
> > database type and having a bunch of variants of the method to
> > deal with the database. This is handled in Torque but in
> > general I say it should be handled in your persistence mechanism.
> >
> > > -Chad Johnson
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > > For
> > additional commands,
> > e-mail:
> > > <ma...@jakarta.apache.org>
> >
> > --
> >
> > jvz.
> >
> > Jason van Zyl
> >
> http://tambora.zenplex.org
> http://jakarta.apache.org/turbine http://jakarta.apache.org/velocity
> http://jakarta.apache.org/alexandria
> http://jakarta.apache.org/commons
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by ba...@generationjava.com.
It would be great to have a look at them Laird.
Looking forward to it,
Bay
On Mon, 10 Dec 2001, Laird Nelson wrote:
> Scott Sanders wrote:
> > Would it not be useful to have a generic string escaper,
> > that says for character x in a string, escape it with y?
>
> (I've been lurking for a while; this prompted me to chime in.)
>
> I've got a bunch of String related stuff (who hasn't?), some or all of
> which I'd like to donate to the commons project. For now, feel free to
> see (long URLs follow--they point at SourceForge's HTML interface to
> the cvs repository)
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/foundry/foundry/foundry/text/Strings.java?rev=HEAD&content-type=text/vnd.viewcvs-markup
> and
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/foundry/foundry/foundry/io/EscapingWriter.java?rev=HEAD&content-type=text/vnd.viewcvs-markup,
> which does what you want, I think. Once I get this stuff cleaned up
> and commented and looking purdy, I'll return, humble, hat in hand, to
> try my hand at submitting a patch or two.
>
> {retreats back into shadows}
>
> Cheers,
> Laird
>
> __________________________________________________
> Do You Yahoo!?
> Send your FREE holiday greetings online!
> http://greetings.yahoo.com
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by Laird Nelson <lj...@yahoo.com>.
Scott Sanders wrote:
> Would it not be useful to have a generic string escaper,
> that says for character x in a string, escape it with y?
(I've been lurking for a while; this prompted me to chime in.)
I've got a bunch of String related stuff (who hasn't?), some or all of
which I'd like to donate to the commons project. For now, feel free to
see (long URLs follow--they point at SourceForge's HTML interface to
the cvs repository)
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/foundry/foundry/foundry/text/Strings.java?rev=HEAD&content-type=text/vnd.viewcvs-markup
and
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/foundry/foundry/foundry/io/EscapingWriter.java?rev=HEAD&content-type=text/vnd.viewcvs-markup,
which does what you want, I think. Once I get this stuff cleaned up
and commented and looking purdy, I'll return, humble, hat in hand, to
try my hand at submitting a patch or two.
{retreats back into shadows}
Cheers,
Laird
__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by he...@yandell.org.
Or:
StringUtils.replace(str, "\"", "\\\"");
Isn't that ugly :)
Maybe the replace method could take a Map as an argument which contains a
whole load of replacements. Starting to get a bit over the top though.
Bay
On Mon, 10 Dec 2001, Scott Sanders wrote:
> Or perhaps one would just use RegExp or Oro? :)
>
> Scott
>
> > -----Original Message-----
> > From: Scott Sanders [mailto:ssanders@nextance.com]
> > Sent: Monday, December 10, 2001 12:12 PM
> > To: 'Jakarta Commons Developers List'
> > Subject: RE: Possible addition to StringUtils
> >
> >
> > Would it not be useful to have a generic string escaper, that
> > says for character x in a string, escape it with y?
> >
> > Scott Sanders
> >
> > > -----Original Message-----
> > > From: Jason van Zyl [mailto:jvanzyl@zenplex.com]
> > > Sent: Sunday, December 09, 2001 7:09 PM
> > > To: Jakarta Commons Developers List
> > > Subject: Re: Possible addition to StringUtils
> > >
> > >
> > > On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
> > >
> > > > Hey,
> > > > Just wondering if a method that escapes single and double
> > > quotes, and
> > > > other potential SQL query breaking characters has been
> > > considered for
> > > > addition to the StringUtils class?
> > >
> > > Probably not. I'd say that's a little specific and the
> > > quoting schemes are sometimes different for different
> > > databases. This type of string manipulation that's database
> > > specific should probably be handled in your persistence
> > > mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> > > the behaviour of a particular database is modeled in an
> > > individual class, quoting is handled here.
> > >
> > > > I'd imagine this would be usefull when
> > > > using a prepared statement for query construction with
> > > insecure data
> > > > isn't an option.
> > >
> > > You would probably get into the case of looking at the
> > > database type and having a bunch of variants of the method to
> > > deal with the database. This is handled in Torque but in
> > > general I say it should be handled in your persistence mechanism.
> > >
> > > > -Chad Johnson
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > > > For
> > > additional commands,
> > > e-mail:
> > > > <ma...@jakarta.apache.org>
> > >
> > > --
> > >
> > > jvz.
> > >
> > > Jason van Zyl
> > >
> > http://tambora.zenplex.org
> > http://jakarta.apache.org/turbine http://jakarta.apache.org/velocity
> > http://jakarta.apache.org/alexandria
> > http://jakarta.apache.org/commons
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > For
> > additional commands,
> > e-mail: <ma...@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > For
> > additional commands,
> > e-mail: <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by Scott Sanders <ss...@nextance.com>.
Or perhaps one would just use RegExp or Oro? :)
Scott
> -----Original Message-----
> From: Scott Sanders [mailto:ssanders@nextance.com]
> Sent: Monday, December 10, 2001 12:12 PM
> To: 'Jakarta Commons Developers List'
> Subject: RE: Possible addition to StringUtils
>
>
> Would it not be useful to have a generic string escaper, that
> says for character x in a string, escape it with y?
>
> Scott Sanders
>
> > -----Original Message-----
> > From: Jason van Zyl [mailto:jvanzyl@zenplex.com]
> > Sent: Sunday, December 09, 2001 7:09 PM
> > To: Jakarta Commons Developers List
> > Subject: Re: Possible addition to StringUtils
> >
> >
> > On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
> >
> > > Hey,
> > > Just wondering if a method that escapes single and double
> > quotes, and
> > > other potential SQL query breaking characters has been
> > considered for
> > > addition to the StringUtils class?
> >
> > Probably not. I'd say that's a little specific and the
> > quoting schemes are sometimes different for different
> > databases. This type of string manipulation that's database
> > specific should probably be handled in your persistence
> > mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> > the behaviour of a particular database is modeled in an
> > individual class, quoting is handled here.
> >
> > > I'd imagine this would be usefull when
> > > using a prepared statement for query construction with
> > insecure data
> > > isn't an option.
> >
> > You would probably get into the case of looking at the
> > database type and having a bunch of variants of the method to
> > deal with the database. This is handled in Torque but in
> > general I say it should be handled in your persistence mechanism.
> >
> > > -Chad Johnson
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > > For
> > additional commands,
> > e-mail:
> > > <ma...@jakarta.apache.org>
> >
> > --
> >
> > jvz.
> >
> > Jason van Zyl
> >
> http://tambora.zenplex.org
> http://jakarta.apache.org/turbine http://jakarta.apache.org/velocity
> http://jakarta.apache.org/alexandria
> http://jakarta.apache.org/commons
>
>
>
> --
> To unsubscribe, e-mail:
> <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> For
> additional commands,
> e-mail: <ma...@jakarta.apache.org>
>
>
>
> --
> To unsubscribe, e-mail:
> <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> For
> additional commands,
> e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Possible addition to StringUtils
Posted by Scott Sanders <ss...@nextance.com>.
Would it not be useful to have a generic string escaper, that says for
character x in a string, escape it with y?
Scott Sanders
> -----Original Message-----
> From: Jason van Zyl [mailto:jvanzyl@zenplex.com]
> Sent: Sunday, December 09, 2001 7:09 PM
> To: Jakarta Commons Developers List
> Subject: Re: Possible addition to StringUtils
>
>
> On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
>
> > Hey,
> > Just wondering if a method that escapes single and double
> quotes, and
> > other potential SQL query breaking characters has been
> considered for
> > addition to the StringUtils class?
>
> Probably not. I'd say that's a little specific and the
> quoting schemes are sometimes different for different
> databases. This type of string manipulation that's database
> specific should probably be handled in your persistence
> mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> the behaviour of a particular database is modeled in an
> individual class, quoting is handled here.
>
> > I'd imagine this would be usefull when
> > using a prepared statement for query construction with
> insecure data
> > isn't an option.
>
> You would probably get into the case of looking at the
> database type and having a bunch of variants of the method to
> deal with the database. This is handled in Torque but in
> general I say it should be handled in your persistence mechanism.
>
> > -Chad Johnson
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:commons-dev-> unsubscribe@jakarta.apache.org>
> > For
> additional commands,
> e-mail:
> > <ma...@jakarta.apache.org>
>
> --
>
> jvz.
>
> Jason van Zyl
>
http://tambora.zenplex.org
http://jakarta.apache.org/turbine http://jakarta.apache.org/velocity
http://jakarta.apache.org/alexandria
http://jakarta.apache.org/commons
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by ba...@generationjava.com.
Reasons why not:
1) Craig pointed out that using PreparedStatements all the time is a
better programming style and will avoid lots of nasty problems. Equally
though, what cases have you come across when PrepStats aren't really
viable?? When creating dynamic SQL I have found them to be a little bit of
a pain, but they end up being worth it in the longterm (as soon as you
have a date column).
2) Which escaping choice do we make? Some databases escape with '' and
others with \'. Too hard to know. Do all databases escape % and _ the same
way?
Still, not a bad idea :)
Bay
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by Jason van Zyl <jv...@zenplex.com>.
On 12/9/01 11:19 PM, "Craig R. McClanahan" <cr...@apache.org> wrote:
>
>
> On Sun, 9 Dec 2001, Jason van Zyl wrote:
>
>> Date: Sun, 09 Dec 2001 22:09:05 -0500
>> From: Jason van Zyl <jv...@zenplex.com>
>> Reply-To: Jakarta Commons Developers List <co...@jakarta.apache.org>
>> To: Jakarta Commons Developers List <co...@jakarta.apache.org>
>> Subject: Re: Possible addition to StringUtils
>>
>> On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
>>
>>> Hey,
>>> Just wondering if a method that escapes single and double quotes, and
>>> other potential SQL query breaking characters has been considered for
>>> addition to the StringUtils class?
>>
>> Probably not. I'd say that's a little specific and the quoting schemes are
>> sometimes different for different databases. This type of string
>> manipulation that's database specific should probably be handled in your
>> persistence mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
>> the behaviour of a particular database is modeled in an individual class,
>> quoting is handled here.
>>
>
> I've never had a problem with quote escaping since I went to using
> PreparedStatements for *all* database accesses (even if you're not going
> to reuse the PreparedStatement more than once). It's a much simpler
> programming approach.
You're right, I just took a closer look at each of the torque adapters and
they are all the same with respect to quoting. For some reason I thought
that Interbase and Informix were different but I'm definitely wrong. I
suppose the single quote is the SQL-92 string delimiter.
> This also deals with all the wierdness of representing dates, times, and
> so on in a database-independent manner. Of course, no solution is perfect
> -- you still have database-specific things for arcane join syntax and the
> like, but prepared statements for all calls covers 90-95% of the issues.
>
> Craig
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
jvz.
Jason van Zyl
http://tambora.zenplex.org
http://jakarta.apache.org/turbine
http://jakarta.apache.org/velocity
http://jakarta.apache.org/alexandria
http://jakarta.apache.org/commons
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Sun, 9 Dec 2001, Jason van Zyl wrote:
> Date: Sun, 09 Dec 2001 22:09:05 -0500
> From: Jason van Zyl <jv...@zenplex.com>
> Reply-To: Jakarta Commons Developers List <co...@jakarta.apache.org>
> To: Jakarta Commons Developers List <co...@jakarta.apache.org>
> Subject: Re: Possible addition to StringUtils
>
> On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
>
> > Hey,
> > Just wondering if a method that escapes single and double quotes, and
> > other potential SQL query breaking characters has been considered for
> > addition to the StringUtils class?
>
> Probably not. I'd say that's a little specific and the quoting schemes are
> sometimes different for different databases. This type of string
> manipulation that's database specific should probably be handled in your
> persistence mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
> the behaviour of a particular database is modeled in an individual class,
> quoting is handled here.
>
I've never had a problem with quote escaping since I went to using
PreparedStatements for *all* database accesses (even if you're not going
to reuse the PreparedStatement more than once). It's a much simpler
programming approach.
This also deals with all the wierdness of representing dates, times, and
so on in a database-independent manner. Of course, no solution is perfect
-- you still have database-specific things for arcane join syntax and the
like, but prepared statements for all calls covers 90-95% of the issues.
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Possible addition to StringUtils
Posted by Jason van Zyl <jv...@zenplex.com>.
On 12/9/01 9:14 PM, "Chad Johnson" <ch...@csoft.net> wrote:
> Hey,
> Just wondering if a method that escapes single and double quotes, and
> other potential SQL query breaking characters has been considered for
> addition to the StringUtils class?
Probably not. I'd say that's a little specific and the quoting schemes are
sometimes different for different databases. This type of string
manipulation that's database specific should probably be handled in your
persistence mechanism. In Torque (http://jakarta.apache.org/turbine/torque)
the behaviour of a particular database is modeled in an individual class,
quoting is handled here.
> I'd imagine this would be usefull when
> using a prepared statement for query construction with insecure data isn't an
> option.
You would probably get into the case of looking at the database type and
having a bunch of variants of the method to deal with the database. This is
handled in Torque but in general I say it should be handled in your
persistence mechanism.
> -Chad Johnson
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
jvz.
Jason van Zyl
http://tambora.zenplex.org
http://jakarta.apache.org/turbine
http://jakarta.apache.org/velocity
http://jakarta.apache.org/alexandria
http://jakarta.apache.org/commons
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>