Try something along these lines:
String sql = " UPDATE my_table SET some_column = ? WHERE key = ? "; con = ds.getConnection(); ps = conn.prepareStatement(sql); ps.setString(1, newColumValue); ps.setInt(2, recordId); ps.executeQuery(sql); > from: Manuel Lenz <[EMAIL PROTECTED]> > date: Tue, 28 Oct 2003 12:07:42 > to: [EMAIL PROTECTED] > subject: Re: Antwort: RE: Antwort: [OT] Re: far reaching db question > > How can I do that? > > > > > > > "Navjot Singh" <[EMAIL PROTECTED]> > 28.10.2003 12:32 > Bitte antworten an "Struts Users Mailing List" > > An: "Struts Users Mailing List" > <[EMAIL PROTECTED]> > Kopie: > Thema: RE: Antwort: [OT] Re: far reaching db question > > > you should escape your sql data values for mischieveous chars like single > quotes etc. > > > >-----Original Message----- > >From: Manuel Lenz [mailto:[EMAIL PROTECTED] > >Sent: Tuesday, October 28, 2003 4:33 PM > >To: Struts Users Mailing List > >Subject: Antwort: [OT] Re: far reaching db question > > > > > >How do preparedStatements handle single quotes and other injection > >attacks? > >I changed my db-connection from a normal statement-conding into prepared > >statements. > >But the error ist still the same. > > > >Here ist my test-coding: > >Connection conn = null; > > PreparedStatement prepare = null; > > ServletContext context = as.getServletContext(); > > boolean ret = false; > > > > try > > { > > DataSource ds = (DataSource) > >context.getAttribute(Action.DATA_SOURCE_KEY); > > > > // Update Banf-Daten > > String sql = "update tab_article set ..." > > System.out.println (sql); > > > > conn = ds.getConnection(); > > prepare = conn.prepareStatement(sql); > > prepare.executeQuery(sql); > > } > > catch (Exception ex) > > .... > > > >Do I need some extra coding for injection attacks, or is this coding > >wrong? > > > >Regards, > >Manuel > > > > > > > > > > > > > >David Graham <[EMAIL PROTECTED]> > >24.10.2003 17:47 > >Bitte antworten an "Struts Users Mailing List" > > > > An: Struts Users Mailing List > <[EMAIL PROTECTED]> > > Kopie: > > Thema: [OT] Re: far reaching db question > > > > > >> I create DB-Inserts from my struts application. > >> But If an user types in the sign ' any dynamicly created inserts fail. > >> This ist because of the sql-syntax which divides the string which will > >> be > >> saved with '. > >> > >> For example: insert into table test (name, number) values ('mr burns', > >> '01723256477'); > >> > >> How can I handle inserts in html-formulars which have the typed sign ' > ? > >> > > > >Always use PreparedStatements. They handle the ' for you and prevent > >other SQL injection attacks. > > > >David > > > >> Greetings, > >> Manuel > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > > > >__________________________________ > >Do you Yahoo!? > >The New Yahoo! Shopping - with improved product search > >http://shopping.yahoo.com > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > http://www.amazon.co.uk/exec/obidos/redirect-home?tag=velloscouk-21&placement=home_multi.gif&site=amazon --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
