On Fri, 30 Apr 1999, Ambrose Li wrote:
> On Fri, Apr 30, 1999 at 08:59:06AM +0500, RITESH BISWAS wrote:
> > executeUpdate("insert into table values ('"+value1+"')");
> > it uses + to concatenate 2 strings...even the variable.
> What if value1 has at least one ' in it? Wouldn't that generate
> a runtime error?
If you use PreparedStatements, the driver will automatically escape all
quotes and other bad characters, as well as not put quotes around numeric
values. It is probably the most flexible way to go.
Mark Matthews <mmatthew@stripped>
"Computers in the future may weigh no more than 2 tons." -Pop.Mech., 1947