tags:

views:

192

answers:

3
+4  Q: 

How to quote/escape identifiers such as column names with JDBC?

Different database servers use different ways to quote and escape identifiers.

E.g. "foo bar" vs `foo bar` vs [foo bar], or "10""" vs "10\"", or identifiers such as FooBar or array need to be quoted for some databases but not for others.

Is there any API method that performs the quoting/escaping correctly for a given database connection? Or any alternative solution?

+2  A: 

Don't escape identifiers. Don't quote column values either - use bound queries with PreparedStatement. It's a lot safer from SQL injection attacks.

Paul Tomblin  2010-01-10 19:09:26
What if the database I'm accessing uses identifiers that actually require quoting? PreparedStatement is great for passing values, but what about identifiers?
aditsu  2010-01-10 19:31:51
You shouldn't be using names that need quoting. Yishai's answer is pretty on the mark.
Paul Tomblin  2010-01-10 19:43:41
That's good when I can choose the names myself, but it's not always the case. There are legacy databases and many other situations, plus I may be writing some generic code that doesn't know the actual names (e.g. they're passed as parameters).
aditsu  2010-01-10 20:07:23
+4  A: 

I think the answer to your question is that if you are writing a database neutral application using JDBC, then you need to use database neutral names, and not things that require special escaping per database vendor.

There is nothing I know of in the JDBC which supports that. A ORM product will deal with such things.

Edit: If you are writing an ORM, then I would think need a seperate SQL generation class for each supported database, just to handle the various syntax involved, so you would have to write that. You can certainly look at the source code of the various open source ORM's out there and see how they handle it.

Yishai  2010-01-10 19:14:40
Good point about database-neutral names, but surprises can still appear (e.g. a certain identifier may not be acceptable in another database).Also, what if I'm.. actually writing an ORM? Would it require a separate hand-coded quote/escape implementation for each supported database?
aditsu  2010-01-10 19:36:48
Stick to the rules for identifier naming in the SQL standard. Those will work anywhere.
Paul Tomblin  2010-01-10 19:44:33
+2  A: 

Have a look at 

DatabaseMetaData.getIdentifierQuoteString()

I never used it but it sounds good :-)

getExtraNameCharacters() could also be of some help

Carlos Heuberger  2010-01-10 21:24:51
Not a complete solution, but definitely useful!
aditsu  2010-01-11 06:07:41

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java