tags:

views:

1263

answers:

2
Q: 

Inserting string with single quotes from Java into Postgresql

I'm inserting text from a Java application into a Postgresql database, but it all crashes when a ' char is encountered in the String. I've tried using replaceAll(" ' ", " \\' "); even diffrent variants of it with more \ chars, yet it still puts a single ' in the String without the escape sign.

Is there any way of replacing the ' with an \' in the String? Or another way of putting Strings containig single quotes into Postgresql?

+1  A: 

Most SQL implementations use '' (2 single quotes) to escape a single quote.

Example:

SELECT * FROM users WHERE f_name=''foobar'';
Matthew Vines  2009-06-04 22:43:27
Yes, this is a feature of standard SQL and PostgreSQL supports this. See http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS
Bill Karwin  2009-06-04 22:45:15
But you still want to use bind variables and prepared statements.
Thilo  2009-06-04 22:48:20
Thank you, that worked perfectly.
Malthan  2009-06-04 22:48:25
I would agree that prepared statements are the way to go. But sometimes legacy code makes you choose your battles.
Matthew Vines  2009-06-04 22:50:12
I doubt legacy code is an issue here. PostegreSQL has a JDBC driver.
Matthew Flaschen  2009-06-04 22:52:19
+14  A: 

You shouldn't have to worry about doing this manually if you're using prepared statements properly.

Matthew Flaschen  2009-06-04 22:44:37
+1 for prepared statements. Those are really the proper way to do this.
Joey  2009-06-04 22:47:32
+1 for prepared statements from me too. Be careful about exposing yourself to SQL injection attacks.
Bert F  2009-06-04 22:55:18
Thank you, I followed Your advice and changed it to a proper prepared statement, turned out I was using it the wrong way. This also resolved the issue.
Malthan  2009-06-04 23:03:02
I'd recommend moving the accepted answer to this one. That way other folks will see the correct solution first. Nothing wrong, exactly, with the single quote escaping, but it's not generally a good practice to build SQL strings like that.
Kevin Day  2009-06-05 05:33:27

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java