Menu
I am building an insert command to execute using jdbc. Part of it is to concatenate a user generated string...this all works until the user uses a string like this:
a'bcd
String userString="a'bcd"; String insertTableSQL = "INSERT INTO myTable " + "(insertColumn) " + "VALUES(" +"'"+userString+"'" +")"; statement.executeUpdate(insertTableSQL); 
280
The simplest method to escape single quotes in SQL is to use two single quotes. For example, if you wanted to show the value O'Reilly, you would use two quotes in the middle instead of one. The single quote is the escape character in Oracle, SQL Server, MySQL, and PostgreSQL.
If you need to use single quotes and double quotes in a string that contains both a contraction and a quote, you will need to use the backslash '' to cancel out the following character.
Use braces to escape a string of characters or symbols. Everything within a set of braces in considered part of the escape sequence. When you use braces to escape a single character, the escaped character becomes a separate token in the query. Use the backslash character to escape a single character or symbol.
You can do either of the below:
Use the PreparedStatement class. (Recommended)
String userString="a'bcd"; String myStatement = " INSERT INTO MYTABLE (INSERTCOLUMN) VALUES (?)"; PreparedStatement statement= con.prepareStatement (myStatement ); statement.setString(1,userString); statement.executeUpdate(); Escape the single quotes.
In SQL, single quotes will be escaped by using double single quotes. ' --> ''
String userString="a'bcd"; String changedUserString = userString.replace("'","''"); //changedUserString = a''bcd String insertTableSQL = "INSERT INTO myTable (insertColumn) VALUES(" +" '"+changedUserString +"' )"; If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
