4 messages in com.mysql.lists.javaRe: Problems with Single Quotes| From | Sent On | Attachments |
|---|---|---|
| Christopher Molnar | 20 Apr 2003 17:52 | |
| Igor Fedulov | 20 Apr 2003 18:05 | |
| Shankar Unni | 20 Apr 2003 18:10 | |
| Mark Matthews | 20 Apr 2003 18:11 |
| Subject: | Re: Problems with Single Quotes |
|---|---|
| From: | Mark Matthews (ma...@mysql.com) |
| Date: | 04/20/2003 06:11:52 PM |
| List: | com.mysql.lists.java |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Christopher Molnar wrote: | Hello, | | I have seen answers to this in the FAQ's, but none address Java, and I | need to try and figure this problem out. | | I have an application with a notes field. In the notes field if someone | uses a single quote like in the word "didn't" the single quote is taken | as an end of statement. | | I have tried to replace the ' with a \' and still have not had any luck. | Here is the code:
'\' also has special meaning in Java as an 'escape' character, so if you want a literal \', you would have to write it as \\' in a Java String.
However, I recommend you avoid all this trouble of escaping (because it can actually lead to security problems down the road), and use PreparedStatements to do the 'dirty' work for you (they take care of escaping _everything_ correctly).
It would be as simple as doing something like:
PreparedStatement pStmt = con.prepareStatement("INSERT INTO callslip ~ (custnum, callslip, cdate, equip1, equip2, reason, services, recommendations, rscheduled, charges, collected, notes, followup) Values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
pStmt.setString(1, custnum); pStmt.setString(2, callslip); pStmt.setString(3, cdate); pStmt.setString(4, equip1); pStmt.setString(5, equip2); pStmt.setString(6, reason); pStmt.setString(7, tservices); pStmt.setString(8, recommendations); pStmt.setString(9, rscheduled); pStmt.setString(10, charges); pStmt.setString(11, collected); pStmt.setString(12, notes); pStmt.setString(13, followup);
pStmt.executeUpdate();
This has the benefits of doing all of the escaping for you, and it ends up being faster than all of the string concatenation you are doing (you should read up on StringBuffers...String concatenation en-masse using '+' in Java is not the way to go), as well as being faster in MySQL-4.1 which has server-side prepared statements.
If you wanted to be real slick, you could prepare this statement ahead of time on the given connection, and just re-use it whenever you needed it...this would be more efficient, but you'd have to make sure that you kept the connection and prepared statement instance together.
-Mark - -- For technical support contracts, visit https://order.mysql.com/?ref=mmma
~ __ ___ ___ ____ __ ~ / |/ /_ __/ __/ __ \/ / Mark Matthews <ma...@mysql.com> ~ / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer - JDBC/Java ~ /_/ /_/\_, /___/\___\_\___/ Flossmoor (Chicago), IL USA ~ <___/ www.mysql.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+o0VutvXNTca6JD8RAvWyAJ9rV6eoN15Q57pMBXzml5qE1y4EpACgq2Uh sM0zEV7L5s83vvpA3tlIkRc= =IFW0 -----END PGP SIGNATURE-----