[Esapi-user] encoderForSQL() method

Chris Schmidt chris.schmidt at owasp.org
Mon Jul 4 01:44:53 EDT 2011


If you are using a prepared statement there is no need to use encoding. The encodeForSql method is to be used when a parameterized/prepared statement cannot be used for some reason. 

Sent from my iPwn

On Jul 3, 2011, at 11:17 PM, ashish kumar gautam <gautamashishkumar at gmail.com> wrote:

> 
> hi
> 
>  I am Ashish Gautam from NIC Delhi, India
> 
> I encoded a sql statement using ESAPI.encoder().encodeForSQL() and i got error message......
> 
> 
> My code is.........
> 
> String querystringnew =ESAPI.encoder().encodeForSQL(mysql, "SELECT empcode FROM emailuser WHERE emailid = ?");
> 
> PreparedStatement psmtnew = dbcon.prepareStatement(querystringnew);
> 
> psmtnew.setString(1,name+"@nic.in");
> 
> ResultSet rsnew = psmtnew.executeQuery();
> 
> 
> 
> Error :- Incorrect syntax near the ?
> 
> this error generates  because encoderForSQL() methos converts the query in to following format
> SELECT empcode FROM emailuser WHERE emailid \= \?
> 
> then
> 
> What is the way to use the encoderForSQL() methoh
> 
> 
> 
> -- 
> Best regards,
> Ashish K. Gautam 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110703/2ed0fbc7/attachment.html 


More information about the Esapi-user mailing list