Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

single quote throws exception - JDK 1.4.2 and SQL Server

 
Sam Gehouse
Ranch Hand
Posts: 281
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A data that is passed in where clause in SQL has a quote as: my'value

Not using prepared statement.

String sql = "Select * from myTable Where colValue = '" +
val + "'";

val passed in from a command line. Value of val variavle has a quote as my'value.

Exception is thrown when quote is encountered in the value of val variable. Code works fine if the value of the variable var does not have a quote. Unfortunately do not have exception stacktrace handy with me.

I tried adding escape caharacter (\) before quote in the value in the input in command prompt as: my\'value

That did not work.

Following are the questions:

1. Will converting the SQL to prepared statement have some daylight?

2. Is there any other easy fix, instead of changing the code?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sam,
1) Yes. Using a prepared statement is the recommended solution. It also protects you from SQL injection attacks.
2) No. You need to change the code.
 
Dmitriy Davydenko
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
2) You may double all your '
Try smth like val.replaceAll("'","''")
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic