A reader, October 18, 2001 - 12:54 pm UTC
What about bind variables using web application ?
Amit, October 15, 2003 - 12:23 am UTC
Hi Tom,
is there a way I can get the following to work through JDBC ?
I will run stmt.executeUpdate() on the following :
String updateQuery=" execute immediate 'update s_uda_basic_info set " +
" Name =:1"+","+
" Address1 =:2"+","+
" Address2 =:3"+","+
" using "+
(String) req.getParameterValues("Name")[0].trim()+","+
(String) req.getParameterValues("Address1")[0].trim()+","+
(String) req.getParameterValues("Address2")[0].trim()+","+
user_id;
Where the address field can have a ",", in which case there will be more 'using' fields ( eg : ... using xyz,add1,more_add1,add2) .
My problem arose because if i don't use bind variables and a field comes in with apostrophe ('), my update query fails.
Normally what is done in web based applications to take care of these special characters ?
Thanks,
Amit
October 15, 2003 - 7:42 am UTC
umm, you use bind variables for performance and because anyother way is a bug in your code!!!!!
but in jdbc, you just use prepared statements for this.
you would prepare a statement "update t set c1 = ?, c2 = ?, c3 = ?"
you would bind to it
you would execute it.
something like this:
static void doPreparedStatement (Connection con, int count)
throws Exception
{
long start = new Date().getTime();
PreparedStatement ps =
con.prepareStatement
("insert into testxxxperf " +
"(id, code, descr, insert_user, insert_date)"
+ " values (?,?,?, user, sysdate)");
for (int i = 0; i < count; i++)
{
ps.setInt(1,i);
ps.setString(2,"PS - code" + i);
ps.setString(3,"PS - desc" + i);
ps.executeUpdate();
}
long end = new Date().getTime();
con.commit();
System.out.println
("pstatement " + count + " times in " + (end - start) + " milli seconds");
}
A reader, October 15, 2003 - 2:02 pm UTC
create user,
A reader, May 15, 2007 - 2:23 pm UTC
how to create an user who has apostrophe in his name (like jim o'connor)?
Thanks,
May 16, 2007 - 9:53 am UTC
you don't want to even consider doing that. it would be a really bad idea. Please stick with normal identifiers - you'll be really sorry otherwise.
a writer
A reader, May 16, 2007 - 10:10 am UTC
hallo a reader
sql > create user "jim o'connor" identified by "jim o'connor";
User created.
cheers
a writer
May 16, 2007 - 10:51 am UTC
PLEASE, BEGGING YOU, DO NOT GO DOWN THIS PATH
you will hate yourself, seriously, this is a really bad idea.
Just because there is an answer to a direct question does not mean it should be provided.
eg: do cats always land on their feet? That has a direct answer, however, if asked by a 5 year old kid, you might want to ask "why do you ask" before you consider answering. Since the answer could lead to the immediate death of an innocent cat as it is dropped from the balcony.
This is a cat question - it should not be answered.
Alexander the ok, May 16, 2007 - 11:02 am UTC
That's a riot Tom. That's one of the best analogies I've ever heard. I've used "my car won't start" before with developers to get points across, if you don't mind I'm going to steal that one too ;)
I agree
A reader, May 16, 2007 - 8:16 pm UTC
Tom,
Recently I came across some issue where a query just won't run. On closer inspection, I found that developers had created tables with @ symbol in the table names using the method described above. Now when they tried to select from table, Oracle would think that they were trying to select from a non-existent db link. They had to enclose all references to those tables in quotes. Major pain.
In second instance, they created case sensitive table names. We had major troubles exporting those tables. Looks like APEX allows developers to create case sensitive table names and table names with any character in it. They did not even realize that they had done it.
I totally agree that just because something can be done technically, sometimes it is not advisable to do it.
Thanks
May 17, 2007 - 11:16 am UTC
I totally agree that just because something can be done technically, sometimes it is not advisable to do it.
i like that!
please clarify a bit more
Sokrates, May 18, 2007 - 2:51 am UTC
ok, "a writer" should have asked "why do you ask" beforehand.
But please elaborate a bit more, WHY it is a bad idea to name
a user "jim o'connor" ?
It is not so clear to me (probably I am the only one ?).
as far as I remember, Oracle named a column in
v$sort_usage USER.
(it still exists as USER in v$tempseg_usage but is now
supplemented by USERNAME).
Some people thought, this is a very bad idea and suggested
workarounds
for example
http://www.jlcomp.demon.co.uk/sort_usage.html I never got it, WHY would this a bad idea, because
select "USER" from v$tempseg_usage
works very good for me and I have not one problem with that.
So, are there more points in naming a user
"jim o'connor" than probably having the operator
typing in a pair of double quotes ?
May 18, 2007 - 3:59 pm UTC
because many applications will not quote a username used in a connection. You'll find most applications, many applications are not able to connect.
quoted identifiers are a hugely bad idea in practice.