Re: How to make getText() return the result in case sensitive ?
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---910079544-1257652537-1222818076=:31070
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT
On Tue, 30 Sep 2008, Lew wrote:
On Sep 30, 1:22?pm, Tom Anderson <t...@urchin.earth.li> wrote:
On Mon, 29 Sep 2008, Lew wrote:
Tom Anderson wrote:
On Mon, 29 Sep 2008, tobleron wrote:
Hi, I have an SQL statement like this :
"SELECT * FROM user WHERE userid = '"+ UserIDTxt.getText() +"' AND
passwd = '"+ PasswdTxt.getText() +"'"
Firstly, don't do that. Use a PreparedStatement. It's cleaner, more
efficient, and most importantly, protects against SQL injection attacks and
bugs. You should basically never be constructing an SQL string in an app,
unless you have a very good reason indeed.
Second-most importantly. ?Most importantly it provides type safety.
Type safety is a wonderful thing, but it's not a prerequisite for
correctness. Protection against SQL injection is.
Let me put it this way - would you rather have an incorrect or unsecure
application written in java, or a correct and secure one written in
python, smalltalk, or javascript?
Neither. It's a false question. The real question is how much effort
it is to create a secure, correct application in either environment.
Yes. Which i think means your answer is "the latter".
PreparedStatement is not requisite for protection again SQL injection.
One can protect against those attacks with regular SQL strings and
(unPrepared) Statements. It is the type safety of PreparedStatement
that makes that protection easy and automatic. So your question should
be, "If PreparedStatement weren't type-safe, how would it be able to
protect against SQL injection in the first place?"
I don't see how type safety has anything to do with it. It's the idea of
separating the text of the command and the text of the parameters that
does it. You could have exactly the same separation, and exactly the same
security, in a typeless language.
Just for yuks, here's a sketch in python:
#! /usr/bin/env python
class ResultSet(object):
def __init__(self, sql):
self.sql = sql
def __repr__(self):
return "i am the results for [" + self.sql + "]"
def executeQuery(sql):
return ResultSet(sql)
def escape(s):
return s.replace("'", "''")
def sqlStr(obj):
if (obj == None):
return "NULL"
if (isinstance(obj, int)):
return str(obj)
if (isinstance(obj, str)):
return "'" + escape(obj) + "'"
else:
raise ValueError, "unknown parameter type: " + obj
class PreparedStatement(object):
def __init__(self, sql):
self.sql = sql
numParams = sql.count("?")
self.params = [None] * numParams
def __setitem__(self, index, value):
self.params[index] = value
def execute(self):
template = self.sql.replace("?", "%s")
paramStrs = map(sqlStr, self.params)
preparedSql = template % tuple(paramStrs)
return executeQuery(preparedSql)
stmt = preparedstatement.PreparedStatement("SELECT * from users WHERE name = ? AND userlevel = ?")
stmt[0] = "Lew O'Canon"
stmt[1] = 42
stmt.execute()
i am the results for [SELECT * from users WHERE name = 'Lew O''Canon' AND userlevel = 42]
tom
--
GODZILLA PLEASE EAT THE FUCKIN COLDPLAY -- a poster in Bergen
---910079544-1257652537-1222818076=:31070--