This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hi All, I've set up a form on a jsp page where I have both a text field and two textarea boxes. The only problem is when I have a string of text which includes a single quote e.g. Why won't this work? I get an error similar to the following: java.sql.SQLException: [Microsoft][odbc SQL Server Driver] [SQL Server]Line 1: Incorrect syntax near 'why'. When I take out the single quote it works. Why is it causing an error? Any help will be very much appreciated. Many Thanks Rita.
Rita This is more of a JDBC question than a general one. Check out the JDBC forum for your answer. This is a fairly poplar question and has been asked quite often in the past. you can also do a search of the JDBC forum for your answer too - that would probably be the fastest way to get an answer. Here's a hint for you to get you started - 'preparedStatement'.
When you put user submitted data into a database using sql you have to be very careful. The main problem is that sql inserts are a string of code that gets interpretted. The data is usually between quotes or single quotes. If a malicious user were able to put a quote or a single quote into their data they would be able to insert sql code that could do things like delete all the records in your database. The way to deal with this is to escape any quotes in the data. Actually there are a whole range of characters that need to be escaped to be safe. I have written a method to do so. You can find it at: http://ostermiller.org/utils/StringHelper.html Similarly, if you write the data back out to html. You must make sure that there is no html characters in it or that all html characters are properly escapes. Otherwise you run the risk of cross site scripting vulnerabilities. A malicious cracker could direct a user to your site with a script in the data that would steal the users cookies and send them to the cracker. There is also a function in StringHelper to escape the data for html.
Joined: Dec 04, 2001
Thanks for all your help guys. And Steve your information is really helpful. So cheers mate. Kind Regards, Rita.