Quotes in SQL string

[DaveMere]

Hi there,

I have to pass a string of SQL from a java class to call a Sybase stored procedure. Everything's working well, except for when the input fields contain quote marks. Then, the SQL ends up something like;

MyProc 'My House', 'Your House', 'John's House'

which obviously doesn't work. It's valid for quote marks to be included in these information fields, so I have to allow it . . . how can I avoid these characters messing up my carefully crafted SQL?

Many thanks in advance, DaveMere

[mikeBarr81]

Use a StringBuffer to remove the quotes. Something like...

Code:

StringBuffer theString = new StringBuffer(yourString);
int index = theString.indexOf("\'");

while(index != -1)
{
    theString.deleteCharAt(index);
    index = theString.indexOf("\'");
}

If you don't want to do that you could just check the string for quotes and any other characters you don't want in there, and if they're there tell the user to do it again.