tags:

views:

909

answers:

2
+1  Q: 

single quotes and double quotes in mysql insert and update query (java)

The ComName is 'a'b'c'"def"j Limited.

i try to add \ before every ' and " but the resultant query that is executed is 

"UPDATE empTable SET empId= '25', ComName = 'a'b'c'"def"j Limited  where ID=1"

i don't see my Comname within '' and \ is not present before every ' and "

Here is the code to construct the column value 

columnValue.replaceAll("\'", "\\" + "\'");
columnValue.replaceAll("\"", "\\" + "\"");
columnValue=("'" + columnValue + "'");

How to insert string of these types?

+6  A: 

Take a look at PreparedStatements in the JDBC library. e.g.

PreparedStatement pstmt = con.prepareStatement("update Orders set pname = ? where Prod_Id = ?");
pstmt.setInt(2, 100);
pstmt.setString(1, "Bob");
pstmt.executeUpdate();

By using setString() etc. it will save you from having to quote strings. Here's a tutorial on how to use them.

EDIT: As Nick has highlighted below, this will save you not just from quoting issues, but from SQL injection (security) issues as well.

Brian Agnew  2009-12-07 10:31:16
+1 - there are hundreds of articles why escaping yourself doesn't just introduce bugs but security flaws
Nick Fortescue  2009-12-07 10:33:49
The realtime problem here is the column name , table name all are dynamic :( It will really hard to find the correct column order and data type
Sri Kumar  2009-12-07 10:36:07
+1  A: 

as quick fix you can try using Apache commons lang StringEscapeUtils#escapeSql or equivalent library such as this one

dfa  2009-12-07 10:52:40
Great API's!!! Really helpful for quick fixes
Sri Kumar  2009-12-07 12:35:06
use only as a quick fix, prepared statements are far better
dfa  2009-12-07 12:43:06
i understand, yet deadline, project phase plays a vital role too :)
Sri Kumar  2009-12-07 13:39:49

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL