List:MySQL and Java« Previous MessageNext Message »
From:<mmatthew Date:April 30 1999 1:29pm
Subject:Re: insert variables
View as plain text  
On Fri, 30 Apr 1999, Ambrose Li wrote:

> On Fri, Apr 30, 1999 at 08:59:06AM +0500, RITESH BISWAS wrote:
> > executeUpdate("insert into table values ('"+value1+"')");
> > 
> > it uses + to concatenate 2 strings...even the variable.
> 
> What if value1 has at least one ' in it? Wouldn't that generate
> a runtime error?

If you use PreparedStatements, the driver will automatically escape all
quotes and other bad characters, as well as not put quotes around numeric
values. It is probably the most flexible way to go.

	-Mark
--
Mark Matthews <mmatthew@stripped>
http://www.ccm.ecn.purdue.edu/~mmatthew/
"Computers in the future may weigh no more than 2 tons." -Pop.Mech., 1947

Thread
insert variablesOana Radulescu29 Apr
  • RE: insert variablesMark Matthews29 Apr
  • Re: insert variablesRITESH BISWAS30 Apr
    • Re: insert variablesAmbrose Li30 Apr
      • Re: insert variablesmmatthew30 Apr
      • Re: insert variablesTim Endres30 Apr