On Fri, Apr 30 1999, Ambrose Li wrote:
> On Fri, Apr 30, 1999 at 08:59:06AM +0500, RITESH BISWAS wrote:
> > executeUpdate("insert into table values ('"+value1+"')");
> > it uses + to concatenate 2 strings...even the variable.
> What if value1 has at least one ' in it? Wouldn't that generate
> a runtime error?
Yes. You either have to escape all of those cases in your code, or
you need to use a PreparedStatement. It looks something like this:
statement = "UPDATE table set field = ?" +
"WHERE docid = '" + myDocId + "'";
PreparedStatement pstmt = connection.prepareStatement( statement );
pstmt.setString( 1, strValue );
rc = pstmt.executeUpdate();
The prepared statement will take avoid all of the quoting and escaping
problems you would have otherwise.
Tim Endres, ICE Engineering, Inc.
mailto: time@stripped http://www.ice.com
"Usenet - A slow moving self parody." -- Peter Honeyman