Re: inserting jdbc escape characters in SQL

Thu, 29 Jun 2000 19:46:09 -0700 

Hello Saurabh,


You can use the following function


 public String change(String  str){

  String st;
  st="";

    StringTokenizer t=new StringTokenizer(str,"'");
    if(str==null)
 {
  st="";
 }
 else
 {
  int i =t.countTokens();
  while(t.hasMoreTokens()){
  if(st.compareTo("")==0)
  st=t.nextToken();
  else
   st=st + "\\'" + t.nextToken();

  }
 }
  return st;
 }



like this:


        tempStr=theResult.getString(1);
      {
       ssql= ssql + " abc='" + change(tempStr) + "'";
      }



Best Regards,
Deepak Kumar

http://www.roseindia.net



----- Original Message -----
From: Saurabh Banerjee <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 27, 2000 2:54 AM
Subject: inserting jdbc escape characters in SQL


> Hello,
>
> I creating insert and update SQLs in my servlet from a data entry HTML
form.
> However the user may enter values like "isn't" which messes up my
> SQL statements.
>
> I need to replace each occurence of "'" (single quote) with "''" ( two
> single quotes).
>
> I have added the following code to escape the special characters:
>
>                     file://escape special characters
>                     if (form_field_data_type[i].compareTo("C") == 0 )
>                     {
>                         int pos = 0;
>                         boolean found = false;
>                         int len = value.length();
>                         while ((pos != -1) && (pos <= len))
>                         {
>                             pos = value.indexOf("'",pos);
>                             if (pos == -1) { break;}
>                             found = true;
>                             value = value.substring(0, pos ) + "'" +
> value.substring(pos);
>                             pos = pos + 2;
>
>                         }
>                         if (found)
>                         {
>                             form_field_value[i] = value;
>                         }
>
>                     }
>
> Is there any easier way to achieve this. I understand that I can use
> prepared statement which handles all these for me but that would require
lot
> of changes in my code!!
>
> thanks,
> Saurabh
>
>
>
>
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to