6 messages in com.mysql.lists.javaRe: insert variables| From | Sent On | Attachments |
|---|---|---|
| Oana Radulescu | 29 Apr 1999 10:00 | |
| Mark Matthews | 29 Apr 1999 10:06 | |
| RITESH BISWAS | 29 Apr 1999 20:58 | |
| mmat...@ecn.purdue.edu | 30 Apr 1999 06:29 | |
| Ambrose Li | 30 Apr 1999 06:36 | |
| Tim Endres | 30 Apr 1999 09:36 |
| Subject: | Re: insert variables |
|---|---|
| From: | Tim Endres (ti...@ice.com) |
| Date: | 04/30/1999 09:36:47 AM |
| List: | com.mysql.lists.java |
On Fri, Apr 30 1999, Ambrose Li wrote:
On Fri, Apr 30, 1999 at 08:59:06AM +0500, RITESH BISWAS wrote:
executeUpdate("insert into table values ('"+value1+"')");
it uses + to concatenate 2 strings...even the variable.
What if value1 has at least one ' in it? Wouldn't that generate a runtime error?
Yes. You either have to escape all of those cases in your code, or you need to use a PreparedStatement. It looks something like this:
statement = "UPDATE table set field = ?" + "WHERE docid = '" + myDocId + "'"; PreparedStatement pstmt = connection.prepareStatement( statement ); pstmt.setString( 1, strValue ); rc = pstmt.executeUpdate(); pstmt.close();
The prepared statement will take avoid all of the quoting and escaping problems you would have otherwise.
tim. Tim Endres, ICE Engineering, Inc. mailto: ti...@ice.com http://www.ice.com "Usenet - A slow moving self parody." -- Peter Honeyman