tags:

views:

898

answers:

6
+1  Q: 

Escaping an apostrophe in Java

I'm still somewhat new to Java and trying to insert data into a database. I'm getting an error when inserting a string containing 's so my end result would be to escape the apostrophe. How can I accomplish?

A: 

That's dependent on the database you are using. Usually '' works (I only have firsthand knowledge with SQL Server).

What database are you using?

Chris Kaminski  2009-11-04 18:31:11
I'm using mysql
Jonathan Kushner  2009-11-04 18:31:26
+2  A: 

Depends on the database, but you can use '' in SqlServer.

EDIT: In MySql you can use a double apostrophe or backslash: http://www.faqts.com/knowledge_base/view.phtml/aid/630

Michael Todd  2009-11-04 18:31:26
Double apostrophe in postgres
Ewan Todd  2009-11-04 18:33:18
And I'll agree with James in comment: use prepared statements. Much better long-term solution.
Michael Todd  2009-11-04 18:34:29
+11  A: 

Use prepared statements. As well as handling any special characters, they are much more robust and help prevent sql injection attacks.

james  2009-11-04 18:31:41
+1 This answer gets to the heart of the issue: hand-coding your own SQL in your method calls is bad practice, and opens you up to a host of security issues.
rtperson  2009-11-04 18:34:27
A good habit to get into, but perhaps overkill for learning the language.
Chris Kaminski  2009-11-04 18:34:27
... just ask Little Bobby Tables. :)
rtperson  2009-11-04 18:35:18
+1 for XKCD reference http://xkcd.com/327/
Chris Nava  2009-11-04 19:22:17
+5  A: 

The issue really isn't with Java, rather with the underlying database. Most likely you are stringing your parameters together like this:

  String sql = "select * from sometable where somefield = " + someObject.getSomeField();

Don't do that. Use PreparedStatement's instead.

That has the added advantage of preventing SQL injection attacks, if this is an application that has to be concerned about such things.

Yishai  2009-11-04 18:32:50
+1: it not only saves you from SQL injection attacks, but it also eases setting Java objects inside a SQL statement (Date, InputStream, etc) and is technically also more performant (precompiled at DB).
BalusC  2009-11-04 18:54:40
+1  A: 

I assume you are using a java.sql.Statement, and calling the executeQuery method with a String. That's bad, because it's possible to do SQL injection. You should use a java.sql.PreparedStatement instead, and then you can set any String that you want as a parameter, and you won't have your problem.

For example:

PreparedStatement pstmt = con.prepareStatement("UPDATE MY_TABLE SET TEXT_FIELD = ?");
pstmt.setString(1, "any String 'will work here!");
Kaleb Brasee  2009-11-04 18:33:58
+2  A: 

Using StringEscapeUtils:

StringEscapeUtils.escapeSql(yourstring);
RHSeeger  2009-11-04 18:34:11
That's exactly what I was looking for.
Jonathan Kushner  2009-11-04 19:18:39

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL