On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote:
> I had a similar problem, which I discovered when one of my users tried to
> enter a street address containing an apostrophe. Since I use apostrophes to
> delineate my text strings in my SQL statements, this caused a database
> error. I fixed it by not allowing apostrophes to be entered into any of the
> test fields.
>
I hope you never have a customer named O'Reilly :-).
> I admit this is overly restrictive, but I don't know how to get the
> apostrophe into my database otherwise. How would you do it Craig?
>
> For SQL destined test, I disallow \ and '.
If I'm doing the SQL myself, I always use prepared statements:
String streetAddress = "..."; // String may have "\" and "'" characters in it
PreparedStatement stmt = conn.prepareStatement
("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?");
stmt.setString(1, streetAddress);
stmt.setInt(2, custId);
stmt.executeUpdate();
and let the JDBC driver take care of getting the sensitive characters
escaped as needed.
(Of course, if you're using a persistence tier abstraction like EJB or
JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to
worry about any of this -- it all happens automatically for you.)
> For XML destined text, I disallow <, >, &, \, and ".
For XML, I use one of several strategies depending on the detailed situation:
* Recognize that XML allows either " or ' as attribute delimiters,
so if a string includes one kind, just use the other.
* Write or use an XML serializer that translates "&" to "&"
and so on for me.
* If the XML I am writing is actually markup on a page, use
JSF components ... JSF includes APIs that do all the escaping
for you.
>
> Wiebe de Jong
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
