If you use the ? in your SQL statement and put the evil string
that has quotes between <param>It's OK here</param> tags
you should be alright. It is not really SQL that minds,
just need a way to be clear about what you are passing to SQL.
Hope this helps (and is correct)
Morris
On Tue, 11 Jun 2002, Carole E. Mah wrote:
>
> Dear Paul,
>
> I don't understand your reply, or how your examples relate to single quote
> marks in any way.
>
> Sorry to be so dense!
>
> I am just trying to keep mySQL from freaking out when it sees a quotation
> mark -- all I need to do is replace every occurrence of ' with \', e.g.
> if I were inserting a query by hand on the mySQL command line, I would do
> this:
> INSERT INTO foo VALUES("bar", "blort, "Paul\'s example");
> But since I don't know if, when or how many single quotes a user might try
> to put into the input form, I need something less manual to deal with it.
>
> I suppose there is probably a regexp tag library of that would do this?
> i.e. the perl equivalent would be s/'/\'/g
>
> ...
>
> Ok, yes, I've just looked at the regexp taglib documentation, and it does
> look as if that is my answer.
>
> Sorry to have bother you!
>
> -carole
>
> On Tue, 11 Jun 2002, Paul DuBois wrote:
> > At 14:12 -0400 6/11/02, Carole E. Mah wrote:
>
> > >DBtags has an 'escapeSql' tag, but JSTL:sql does not.
> >
> > Use <sql:param> in your <sql:query> or <sql:update> tag body,
> > and use ? as a placeholder character in the query string.
> >
> > <%-- placeholder value in <sql:param> body --%>
> > <sql:update var="count" dataSource="${conn}">
> > DELETE FROM tbl_name WHERE id > ?
> > <sql:param>100</sql:param>
> > </sql:update>
> >
> > <%-- placeholder value in <sql:param> value attribute --%>
> > <sql:query var="rs" dataSource="${conn}">
> > SELECT id, name FROM tbl_name WHERE cats = ? AND color = ?
> > <sql:param value="1" />
> > <sql:param value="green" />
> > </sql:query>
> >
> > >
> > >So, using JSTL, how does one escape single quotes?
> > >
> > >Thank you,
> > >-carole
> > >
> > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > >Carole E. Mah [EMAIL PROTECTED]
> > > Senior Programmer/Analyst
> > > Brown University Scholarly Technology Group
> > > phn 401-863-2669
> > > fax 401-863-9313
> > > http://www.stg.brown.edu/
> > > personal: http://www.stg.brown.edu/~carolem/
> >
> >
> > --
> > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> >
> >
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Carole E. Mah [EMAIL PROTECTED]
> Senior Programmer/Analyst
> Brown University Scholarly Technology Group
> phn 401-863-2669
> fax 401-863-9313
> http://www.stg.brown.edu/
> personal: http://www.stg.brown.edu/~carolem/
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
