From: Tim Endres
Date: April 30 1999 4:37pm
Subject: Re: insert variables
List-Archive: http://lists.mysql.com/java/79
Message-Id: <-150535981.925490229420.JavaMail.time@tbomb>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Fri, Apr 30 1999, Ambrose Li wrote:
> On Fri, Apr 30, 1999 at 08:59:06AM +0500, RITESH BISWAS wrote:
> > executeUpdate("insert into table values ('"+value1+"')");
> > 
> > it uses + to concatenate 2 strings...even the variable.
> 
> What if value1 has at least one ' in it? Wouldn't that generate
> a runtime error?

Yes. You either have to escape all of those cases in your code, or
you need to use a PreparedStatement. It looks something like this:

					  statement = "UPDATE table set field = ?"  + 
              							"WHERE docid = '" + myDocId + "'";
  					PreparedStatement pstmt = connection.prepareStatement( statement );
  					pstmt.setString( 1, strValue );
  										rc = pstmt.executeUpdate();
					  pstmt.close();

The prepared statement will take avoid all of the quoting and escaping
problems you would have otherwise.

tim.
Tim Endres, ICE Engineering, Inc.
   mailto: time@stripped    http://www.ice.com
   "Usenet - A slow moving self parody." -- Peter Honeyman