'Re: Problems with Single Quotes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mysql-java
Subject:    Re: Problems with Single Quotes
From:       Mark Matthews <mark () mysql ! com>
Date:       2003-04-21 1:12:14
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher Molnar wrote:
| Hello,
|
| I have seen answers to this in the FAQ's, but none address Java, and I
| need to try and figure this problem out.
|
| I have an application with a notes field. In the notes field if someone
| uses a single quote like in the word "didn't"  the single quote is taken
| as an end of statement.
|
| I have tried to replace the ' with a \' and still have not had any luck.
| Here is the code:

'\' also has special meaning in Java as an 'escape' character, so if you
want a literal \', you would have to write it as \\' in a Java String.

However, I recommend you avoid all this trouble of escaping (because it
can actually lead to security problems down the road), and use
PreparedStatements to do the 'dirty' work for you (they take care of
escaping _everything_ correctly).

It would be as simple as doing something like:

PreparedStatement pStmt = con.prepareStatement("INSERT INTO callslip
~ (custnum, callslip, cdate, equip1, equip2, reason, services,
recommendations, rscheduled, charges, collected, notes, followup) Values
(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");

pStmt.setString(1, custnum);
pStmt.setString(2, callslip);
pStmt.setString(3, cdate);
pStmt.setString(4, equip1);
pStmt.setString(5, equip2);
pStmt.setString(6, reason);
pStmt.setString(7, tservices);
pStmt.setString(8, recommendations);
pStmt.setString(9, rscheduled);
pStmt.setString(10, charges);
pStmt.setString(11, collected);
pStmt.setString(12, notes);
pStmt.setString(13, followup);

pStmt.executeUpdate();

This has the benefits of doing all of the escaping for you, and it ends
up being faster than all of the string concatenation you are doing (you
should read up on StringBuffers...String concatenation en-masse using
'+' in Java is not the way to go), as well as being faster in MySQL-4.1
which has server-side prepared statements.

If you wanted to be real slick, you could prepare this statement ahead
of time on the given connection, and just re-use it whenever you needed
it...this would be more efficient, but you'd have to make sure that you
kept the connection and prepared statement instance together.

	-Mark
- --
For technical support contracts, visit https://order.mysql.com/?ref=mmma

~    __  ___     ___ ____  __
~   /  |/  /_ __/ __/ __ \/ /  Mark Matthews <mark@mysql.com>
~  / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer - JDBC/Java
~ /_/  /_/\_, /___/\___\_\___/ Flossmoor (Chicago), IL USA
~        <___/ www.mysql.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+o0VutvXNTca6JD8RAvWyAJ9rV6eoN15Q57pMBXzml5qE1y4EpACgq2Uh
sM0zEV7L5s83vvpA3tlIkRc=
=IFW0
-----END PGP SIGNATURE-----


-- 
MySQL Java Mailing List
For list archives: http://lists.mysql.com/java
To unsubscribe:    http://lists.mysql.com/java?unsub=mysql-java@progressive-comp.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic