[Esapi-user] encoderForSQL() method

ashish kumar gautam gautamashishkumar at gmail.com
Mon Jul 4 01:17:17 EDT 2011


hi

 I am Ashish Gautam from NIC Delhi, India

I encoded a sql statement using ESAPI.encoder().encodeForSQL() and i got
error message......


*My code is.........*
*
*
*
String querystringnew =ESAPI.encoder().encodeForSQL(mysql, "SELECT empcode
FROM emailuser WHERE emailid = ?");

PreparedStatement psmtnew = dbcon.prepareStatement(querystringnew);

psmtnew.setString(1,name+"@nic.in");

ResultSet rsnew = psmtnew.executeQuery();
*

*
*
*
*
*Error :- *Incorrect syntax near the ?

this error generates  because encoderForSQL() methos converts the query in
to following format
SELECT empcode FROM emailuser WHERE emailid \= \?
*
*
*then*
*
*
What is the way to use the encoderForSQL() methoh
*
*
*
*
*
*
*--
Best regards,*
*Ashish K. Gautam *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110704/e29cac3f/attachment.html 


More information about the Esapi-user mailing list