On Wed, Jul 25, 2012 at 7:13 PM, Rural Hunter <ruralhunter@xxxxxxxxx> wrote: > Why not just use simple Statement instead of PreparedStatement and construct > the SQL with concated string or StringBuilder? like this: > int col1=xxx; > String col2="xxxx"; > String sql="select * from table where col1="+col+" and col2='"+col2+"'"; Ah, finally get to apply the old there's-an-xkcd-for-that rule here: http://xkcd.com/327/ Or, more informatively: http://en.wikipedia.org/wiki/SQL_injection Note that it's not completely crazy (in fact, the JDBC driver used to this this forever ago): if you know what you're doing, you *can* safely escape strings and avoid injection. But it's not for the faint of heart. Also, if you control the parameters and can verify that escaping is not (and will never be) necessary over the domain of their possible values, that's another option. But in general, it's safer to let drivers worry about this. -- Sent via pgsql-performance mailing list (pgsql-performance@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-performance
