Hi, I am trying to take the values from a hidden field created with a js function and pass them into a select...from...where clause and can't seem to get the syntax right. The js function stores the values like ("cat,dog") but for the where clause I need them to be like ("cat","dog"). I am not sure whether this is more a js question or jdbc question, so please forgive me if I am in the wrong forum. I will attach my function. Thanks in advance for any suggestions.
For projections (when you want to select specific columns), its better to have the values inserted from within the Java tier and not to pass user input directly such as retrieving all columns from the database and filtering out the unneeded ones, or using logic that inserts a fixed string column name based on the presence or absence of values. Its *never* a good idea to allow user input directly into a SQL statement, just asking for someone to hack your website.
Also, you can use the Java.split() command to split the input on the "," and use a PeparedStatement to properly format the data. [ May 01, 2008: Message edited by: Scott Selikoff ]