List:MySQL and Java« Previous MessageNext Message »
From:Tim Endres Date:April 30 1999 4:37pm
Subject:Re: insert variables
View as plain text  
On Fri, Apr 30 1999, Ambrose Li wrote:
> On Fri, Apr 30, 1999 at 08:59:06AM +0500, RITESH BISWAS wrote:
> > executeUpdate("insert into table values ('"+value1+"')");
> > 
> > it uses + to concatenate 2 strings...even the variable.
> 
> What if value1 has at least one ' in it? Wouldn't that generate
> a runtime error?

Yes. You either have to escape all of those cases in your code, or
you need to use a PreparedStatement. It looks something like this:

					  statement = "UPDATE table set field = ?"  + 
              							"WHERE docid = '" + myDocId + "'";
  					PreparedStatement pstmt = connection.prepareStatement( statement );
  					pstmt.setString( 1, strValue );
  										rc = pstmt.executeUpdate();
					  pstmt.close();

The prepared statement will take avoid all of the quoting and escaping
problems you would have otherwise.

tim.
Tim Endres, ICE Engineering, Inc.
   mailto: time@stripped    http://www.ice.com
   "Usenet - A slow moving self parody." -- Peter Honeyman
Thread
insert variablesOana Radulescu29 Apr
  • RE: insert variablesMark Matthews29 Apr
  • Re: insert variablesRITESH BISWAS30 Apr
    • Re: insert variablesAmbrose Li30 Apr
      • Re: insert variablesmmatthew30 Apr
      • Re: insert variablesTim Endres30 Apr