File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JDBC and the fly likes escaping quotes, single quotes in a string Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "escaping quotes, single quotes in a string" Watch "escaping quotes, single quotes in a string" New topic
Author

escaping quotes, single quotes in a string

Rachel Andrew
Greenhorn

Joined: Nov 07, 2002
Posts: 9
Hi
Using Struts. I have a class that extends Action doing a database insert, which fails on any insert that contains single or double quotes (I'm inserting html so I obviously need to be doing that) .. what's the best way to escape those quotes within the class, and then remove them again before using the html from the database?
Thanks
Rachel
Barry Gaunt
Ranch Hand

Joined: Aug 03, 2002
Posts: 7729
I'm not sure exactly what you are after here, but
what about using: double quote " as & #34; and single quote ' as & #39;?
(Without the spacing after the ampersand)
[ April 19, 2003: Message edited by: Barry Gaunt ]

Ask a Meaningful Question and HowToAskQuestionsOnJavaRanch
Getting someone to think and try something out is much more useful than just telling them the answer.
Rachel Andrew
Greenhorn

Joined: Nov 07, 2002
Posts: 9
I mean in order for the insert to happen - if there are quotes then it won't - in PHP I would use addslashes so I wind up with \' \" and stripslashes to get rid of them before displaying on the page - is there an equivelent in Java?
Your method would be fine if this was just text I was inserting but I need the quotes once this is on the page as it is html that would be rendered
Rachel
[ April 19, 2003: Message edited by: Rachel Andrew ]
Layne Lund
Ranch Hand

Joined: Dec 06, 2001
Posts: 3061
Perhaps it will help if you post the code from your Java program. However, if I understand what you are asking, the equivalent in Java is EXACTLY what you said: inside a string literal \" stands for a literal ". In fact, you won't have to manually remove the \ since Java takes care of it for you. You can escape a single quote in a similar way: \'. I don't think this is necessary when the singal quote is inside a string constant, though, but I'm not sure about that.
The underlying concept here is called escape characters. This is a common problem with any computer language since certain characters have special meaning. In this case, the " and ' delimite String and char constants. To get either of these characters within a String or char, you simply use the "escape character" \. Even though you type two characters, the Java compiler interprets them as one. This is exaclty the same as other special characters such as \n, \r, and \t.
HTH
Layne


Java API Documentation
The Java Tutorial
Rachel Andrew
Greenhorn

Joined: Nov 07, 2002
Posts: 9
Here is my class:
package com.admin;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.util.Locale;
import java.util.Vector;
import javax.servlet.*;
import javax.servlet.http.*;
import org.apache.struts.action.*;
import java.sql.*;
import java.util.ArrayList;
import javax.sql.*;
import javax.servlet.ServletContext;
/**
*
* @author rachel
*/
public class ArticleInsertAction extends Action{




public ActionForward perform(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {

ArticleData f=(ArticleData)form;
String articleTitle = f.getArticleTitle();
String articleContent = f.getArticleContent();
Connection con = null;
Statement stmt = null;
ResultSet rs = null;

try{

ServletContext context = servlet.getServletContext();
DataSource dataSource = (DataSource)context.getAttribute(Action.DATA_SOURCE_KEY);
con= dataSource.getConnection();
stmt = con.createStatement();
/** Insert record */
StringBuffer insertQuery = new StringBuffer("INSERT INTO tblArticles (articleTitle, articleContent) VALUES ('");
insertQuery.append(articleTitle);
insertQuery.append("','");
insertQuery.append(articleContent);
insertQuery.append("')");
String sql = insertQuery.toString();

rs = stmt.executeQuery(sql);

}catch (Exception ex) {
System.out.println("There has been an error");
}
return mapping.findForward("success");
}

}

--------------
if the string articleTitle or articleContent contain quotes the insert then fails, so all I am really asking is what is the best method to escape these quotes here?
Rachel
Barry Gaunt
Ranch Hand

Joined: Aug 03, 2002
Posts: 7729
So isn't the problem really one of escaping single/double quotes in sql statements?
Excuse my puzzlement.
So if your java string variable contained: <font color='red'> you must have <font color=''red''> in the sql? (that's two single quotes replacing one single quote)
If that is so, maybe this will help (it's not mine):


[ April 19, 2003: Message edited by: Barry Gaunt ]
[ April 19, 2003: Message edited by: Barry Gaunt ]
Rachel Andrew
Greenhorn

Joined: Nov 07, 2002
Posts: 9
yes that's the problem - but PreparedStatement doesn't seem to help - I've just tried it and if I have a string that is:
this is a test
the insert works but if I have a string that is
this is a ' test
no insert occurs. Maybe I should take this to the JDBC forum?
Rachel
Barry Gaunt
Ranch Hand

Joined: Aug 03, 2002
Posts: 7729
Sorry, Rachel, I don't have JDBC on this system, and besides it's late... back tomorrow. . I hope you get some help here in the meantime.
Dirk Schreckmann
Sheriff

Joined: Dec 10, 2001
Posts: 7023
PreparedStatement is the easy way to go. It will escape characters properly for you. Perhaps you didn't use it correctly in your earlier attempt.
Following is a simple example of using a PreparedStatement to insert a new entry (containing an apostrophe) into a table named stores. The table stores contains three varchar columns: an id number, a first name, and a last name (it's just an example use of PreparedStatement).


[How To Ask Good Questions] [JavaRanch FAQ Wiki] [JavaRanch Radio]
Barry Gaunt
Ranch Hand

Joined: Aug 03, 2002
Posts: 7729
I have just tried this with mysql and JDBC and I see that the inserted record has single and double quotes escaped by backslashes.
Rachel Andrew
Greenhorn

Joined: Nov 07, 2002
Posts: 9
thank you - got it working
Rachel
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: escaping quotes, single quotes in a string