At 14:12 -0400 6/11/02, Carole E. Mah wrote:
>DBtags has an 'escapeSql' tag, but JSTL:sql does not.
Use <sql:param> in your <sql:query> or <sql:update> tag body,
and use ? as a placeholder character in the query string.
<%-- placeholder value in <sql:param> body --%>
<sql:update var="count" dataSource="${conn}">
DELETE FROM tbl_name WHERE id > ?
<sql:param>100</sql:param>
</sql:update>
<%-- placeholder value in <sql:param> value attribute --%>
<sql:query var="rs" dataSource="${conn}">
SELECT id, name FROM tbl_name WHERE cats = ? AND color = ?
<sql:param value="1" />
<sql:param value="green" />
</sql:query>
>
>So, using JSTL, how does one escape single quotes?
>
>Thank you,
>-carole
>
>- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>Carole E. Mah [EMAIL PROTECTED]
> Senior Programmer/Analyst
> Brown University Scholarly Technology Group
> phn 401-863-2669
> fax 401-863-9313
> http://www.stg.brown.edu/
> personal: http://www.stg.brown.edu/~carolem/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
