Craig McClanahan wrote:
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote:
I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields.
I hope you never have a customer named O'Reilly :-).
I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig?
For SQL destined test, I disallow \ and '.
If I'm doing the SQL myself, I always use prepared statements:
Absolutely. PreparedStatement is always the way to go, depending on the database you'll get a couple of performance gains also.
String streetAddress = "..."; // String may have "\" and "'" characters in it PreparedStatement stmt = conn.prepareStatement ("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?"); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate();
and let the JDBC driver take care of getting the sensitive characters
escaped as needed.
In fact the drivers should not (again implementation specific) need to do any escaping, the statement and data are seperate entities. The statement will still contain ? (or equivalent) in the rdbms.
Brett
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]