Killer apostrophe in SQL query

DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 2 of 2

Thread: Killer apostrophe in SQL query

  1. #1
    Join Date
    Mar 2005

    Killer apostrophe in SQL query

    My J2EE app builds SQL queries using text from form data. While testing,
    I noticed that an sql exception occurs whenever the user includes an apostrophe in a form text fields. I'm sure there must be a more elegant solution than removing all apostrophes from user input :-). Can anyone help me with this?


  2. #2
    Join Date
    Oct 2004
    What you could do is html encode the text before sending it to the database, and html decoding it when extracting it. HTML encoding makes sure that any strange characters(like the patrofe) are coded in the following manner: '
    this way, the text itself may become a bit larger though.

    Another way to solve this problem is to use bound variables to put the text into the database, but I'm not sure if your database driver supports this feature.
    Boud variables work like this:
    String text1 = "text to put in col 1";
    String text2 = "text to put in col 2";
    Connection conn = createDatabaseConnection();
    String sql = "insert into table (col1,col2) values (?,?)";
    CallableStatement stm = conn.prepareCall(sql);
    stm.setString(1, text1);
    stm.setString(2, text2);
    But like I said I don't know if you driver or database supports this feature. If it does, you should be able to use bound variables with all your queries, not just the inserts.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center
Latest Articles
Questions? Contact us.
Web Development
Latest Tips
Open Source

   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center