Re: escaping single quotes in sql query

Tue, 11 Jun 2002 11:08:09 -0700 


Dear Paul,

I don't understand your reply, or how your examples relate to single quote
marks in any way.

Sorry to be so dense!

I am just trying to keep mySQL from freaking out when it sees a quotation
mark -- all I need to do is replace every occurrence of ' with \', e.g.
if I were inserting a query by hand on the mySQL command line, I would do
this:
  INSERT INTO foo VALUES("bar", "blort, "Paul\'s example");
But since I don't know if, when or how many single quotes a user might try
to put into the input form, I need something less manual to deal with it.

I suppose there is probably a regexp tag library of that would do this?
i.e. the perl equivalent would be s/'/\'/g

...

Ok, yes, I've just looked at the regexp taglib documentation, and it does
look as if that is my answer.

Sorry to have bother you!

-carole

On Tue, 11 Jun 2002, Paul DuBois wrote:
> At 14:12 -0400 6/11/02, Carole E. Mah wrote:

> >DBtags has an 'escapeSql' tag, but JSTL:sql does not.
> 
> Use <sql:param> in your <sql:query> or <sql:update> tag body,
> and use ? as a placeholder character in the query string.
> 
> <%-- placeholder value in <sql:param> body --%>
> <sql:update var="count" dataSource="${conn}">
>       DELETE FROM tbl_name WHERE id > ?
>       <sql:param>100</sql:param>
> </sql:update>
> 
> <%-- placeholder value in <sql:param> value attribute --%>
> <sql:query var="rs" dataSource="${conn}">
>       SELECT id, name FROM tbl_name WHERE cats = ? AND color = ?
>       <sql:param value="1" />
>       <sql:param value="green" />
> </sql:query>
> 
> >
> >So, using JSTL, how does one escape single quotes?
> >
> >Thank you,
> >-carole
> >
> >- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> >Carole E. Mah                     [EMAIL PROTECTED]
> >            Senior Programmer/Analyst
> >    Brown University Scholarly Technology Group
> >                phn 401-863-2669
> >                fax 401-863-9313
> >             http://www.stg.brown.edu/
> >   personal: http://www.stg.brown.edu/~carolem/
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 
> 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Carole E. Mah                     [EMAIL PROTECTED]
           Senior Programmer/Analyst
   Brown University Scholarly Technology Group
               phn 401-863-2669
               fax 401-863-9313
            http://www.stg.brown.edu/
  personal: http://www.stg.brown.edu/~carolem/


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to