Re: inserting jdbc escape characters in SQL

Tue, 27 Jun 2000 09:28:53 -0700 

>>>>> "Saurabh" == Saurabh Banerjee <[EMAIL PROTECTED]> writes:
  Saurabh> Hello,

  Saurabh> I creating insert and update SQLs in my servlet from a data entry HTML form.
  Saurabh> However the user may enter values like "isn't" which messes up my
  Saurabh> SQL statements.

  Saurabh> I need to replace each occurence of "'" (single quote) with "''" ( two
  Saurabh> single quotes).

  Saurabh> I have added the following code to escape the special characters:

  Saurabh>                     //escape special characters
  Saurabh>                     if (form_field_data_type[i].compareTo("C") == 0 )
  Saurabh>                     {
  Saurabh>                         int pos = 0;
  Saurabh>                         boolean found = false;
  Saurabh>                         int len = value.length();
  Saurabh>                         while ((pos != -1) && (pos <= len))
  Saurabh>                         {
  Saurabh>                             pos = value.indexOf("'",pos);
  Saurabh>                             if (pos == -1) { break;}
  Saurabh>                             found = true;
  Saurabh>                             value = value.substring(0, pos ) + "'" +
  Saurabh> value.substring(pos);
  Saurabh>                             pos = pos + 2;

  Saurabh>                         }
  Saurabh>                         if (found)
  Saurabh>                         {
  Saurabh>                             form_field_value[i] = value;
  Saurabh>                         }

  Saurabh>                     }

  Saurabh> Is there any easier way to achieve this. I understand that I can use
  Saurabh> prepared statement which handles all these for me but that would require lot
  Saurabh> of changes in my code!!

When you make those "lot of changes", your code will be smaller and
more robust.  You can delete all this code that tries to escape
quotes.

When you implement PreparedStatements, note that it's problematic to
"cache" them if you are using connection pooling, because they're
always associated with the connection they were created with.
Nevertheless, you're still better off using PreparedStatements.

--
===============================================================================
David M. Karr     ; [EMAIL PROTECTED]  ; w:(425)487-8312 ; TCSI & Best Consulting
Software Engineer ; Unix/Java/C++/X ; BrainBench CJ12P (6/12/2000)

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to