I noticed that when I use a PreparedStatement it doesn't seem to escape certain wild-card characters like '%' or '_'. I know these can be escaped in MySql using a backslash. This made me wonder, what characters will a PreparedStatement escape?
views:
51answers:
1
+2
A:
PreparedStatement doesn't escape anything - it relies on database support for precompiled statements.
That is, PreparedStatement never substitutes ?s for parameter values in order to form a literal query string. Instead, it sends a query string with placeholders to the database and uses database support to bind query parameters (however, it may depend on JDBC driver implementation).
axtavt
2010-10-14 15:45:01
Interesting, what does that support look like for MySql?
stevebot
2010-10-14 15:46:35
MySql supports prepared statements in the same way on the server side. How it looks in your code depends on the driver you are using.
Alan Geleynse
2010-10-14 15:49:03
I believe many drivers actually do insert escaped argument text into the SQL text.
Tom Hawtin - tackline
2010-10-14 15:54:35
@stevebot: Quick googling showed this: http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
axtavt
2010-10-14 15:56:28
@Tom: I don't think it's the case for major databases.
axtavt
2010-10-14 16:01:36