ansaurus

Question

filerering / replacing single quote in java

Answer 1

+6 A:

I think you're approaching the problem from the wrong angle. I strongly suspect you're building your SQL like this:

String sql = "SELECT * FROM TABLE WHERE USERID='" + userInput + "'";

or something similar. Don't do that. Use a parameterized query instead, and supply the user input as the parameter. Every database I've ever used knows how to handle that, and it's the safe way to handle user input.

If you really, really just want to get rid of quotes, you can use:

text = text.replace("'", "");

... but please don't. Use a parameterized query instead.

Jon Skeet 2009-06-17 08:15:33

i cant do that i am using hibernate, so i want to do filtering in java itsel andnot at db level

2009-06-17 08:17:43

i dont want to loose it completely, is there any other way. wil replacing the quote with \' wil work??

2009-06-17 08:21:48

If you're using Hibernate, you shouldn't need to do this. It uses prepared statements itself, precisely to avoid SQL injections (and to improve performance). Please edit your question to give an example of how you're trying to execute the query, and we should be able to help.

Jon Skeet 2009-06-17 08:24:03

i want to do that in java only plz

2009-06-17 08:27:06

I'll second Jon Skeets answer. If you're using hibernate correctly, you shouldn't be getting any errors like this.

mikek 2009-06-17 08:29:54

Could you show us your query? =)

mikek 2009-06-17 08:30:30

i have to submit my project tmmoro so i cant do major changes now . i just want to filter quote in java

2009-06-17 08:31:20

You shouldn't need to make major changes. Filtering quotes yourself is the *wrong* approach. Show us some code, and we should be able to help you fix it quickly. Hibernate is *designed* for this not to be a problem.

Jon Skeet 2009-06-17 08:41:26

As previously said, the gist of the problem is that you're most likely trying to build an SQL statement by concatenating strings. This is very bad practice, and if you're instructor is good she'll mark you down for it. Use kd304's solution with PreparedStatement. It does exactly what you want. I promise that it won't take till tomorrow to implement.Also, what's the point of the assignment? If this is a hibernate exercise, you probably won't score any points by using it incorrectly.

mikek 2009-06-17 08:48:05

@Mike: If the OP is using Hibernate already, then changing to use a direct PreparedStatement wouldn't be ideal. Hibernate does the right thing normally, so we need to find out why the OP is seeing a problem. Then we can hopefully fix it in a way which fits with the rest of the application design. There's no need to change database access mechanism from Hibernate just to get around this.

Jon Skeet 2009-06-17 08:55:49

+1 for not doing it in code under any circumstances. No, no, never.

Henning 2009-06-17 09:18:10

Answer 2

+4 A:

Yes, use PreparedStatement.setString():

String sql = "SELECT * FROM table WHERE USERID = ?";
PreparedStatement pstmt = connection.prepareStatement(sql);
pstmt.setString(1, "O'Connor");
ResultSet rs = pstmt.executeQuery();

Escaping rules for databases differ. For example in Oracle you can duplicate the apostrope to get it escaped. In MySQL it is backslash + apostrophe (I think).

So either userInput = userInput.replaceAll("'", "''"); or userInput = userInput.replaceAll("'", "\\'");

kd304 2009-06-17 08:19:28

ansaurus

tags:

views:

answers:

filerering / replacing single quote in java

related questions