• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

escaping quotes, single quotes in a string

 
Rachel Andrew
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi
Using Struts. I have a class that extends Action doing a database insert, which fails on any insert that contains single or double quotes (I'm inserting html so I obviously need to be doing that) .. what's the best way to escape those quotes within the class, and then remove them again before using the html from the database?
Thanks
Rachel
 
Barry Gaunt
Ranch Hand
Posts: 7729
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure exactly what you are after here, but
what about using: double quote " as & #34; and single quote ' as & #39;?
(Without the spacing after the ampersand)
[ April 19, 2003: Message edited by: Barry Gaunt ]
 
Rachel Andrew
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I mean in order for the insert to happen - if there are quotes then it won't - in PHP I would use addslashes so I wind up with \' \" and stripslashes to get rid of them before displaying on the page - is there an equivelent in Java?
Your method would be fine if this was just text I was inserting but I need the quotes once this is on the page as it is html that would be rendered
Rachel
[ April 19, 2003: Message edited by: Rachel Andrew ]
 
Layne Lund
Ranch Hand
Posts: 3061
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Perhaps it will help if you post the code from your Java program. However, if I understand what you are asking, the equivalent in Java is EXACTLY what you said: inside a string literal \" stands for a literal ". In fact, you won't have to manually remove the \ since Java takes care of it for you. You can escape a single quote in a similar way: \'. I don't think this is necessary when the singal quote is inside a string constant, though, but I'm not sure about that.
The underlying concept here is called escape characters. This is a common problem with any computer language since certain characters have special meaning. In this case, the " and ' delimite String and char constants. To get either of these characters within a String or char, you simply use the "escape character" \. Even though you type two characters, the Java compiler interprets them as one. This is exaclty the same as other special characters such as \n, \r, and \t.
HTH
Layne
 
Rachel Andrew
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is my class:
package com.admin;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.util.Locale;
import java.util.Vector;
import javax.servlet.*;
import javax.servlet.http.*;
import org.apache.struts.action.*;
import java.sql.*;
import java.util.ArrayList;
import javax.sql.*;
import javax.servlet.ServletContext;
/**
*
* @author rachel
*/
public class ArticleInsertAction extends Action{




public ActionForward perform(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {

ArticleData f=(ArticleData)form;
String articleTitle = f.getArticleTitle();
String articleContent = f.getArticleContent();
Connection con = null;
Statement stmt = null;
ResultSet rs = null;

try{

ServletContext context = servlet.getServletContext();
DataSource dataSource = (DataSource)context.getAttribute(Action.DATA_SOURCE_KEY);
con= dataSource.getConnection();
stmt = con.createStatement();
/** Insert record */
StringBuffer insertQuery = new StringBuffer("INSERT INTO tblArticles (articleTitle, articleContent) VALUES ('");
insertQuery.append(articleTitle);
insertQuery.append("','");
insertQuery.append(articleContent);
insertQuery.append("')");
String sql = insertQuery.toString();

rs = stmt.executeQuery(sql);

}catch (Exception ex) {
System.out.println("There has been an error");
}
return mapping.findForward("success");
}

}

--------------
if the string articleTitle or articleContent contain quotes the insert then fails, so all I am really asking is what is the best method to escape these quotes here?
Rachel
 
Barry Gaunt
Ranch Hand
Posts: 7729
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So isn't the problem really one of escaping single/double quotes in sql statements?
Excuse my puzzlement.
So if your java string variable contained: <font color='red'> you must have <font color=''red''> in the sql? (that's two single quotes replacing one single quote)
If that is so, maybe this will help (it's not mine):


[ April 19, 2003: Message edited by: Barry Gaunt ]
[ April 19, 2003: Message edited by: Barry Gaunt ]
 
Rachel Andrew
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes that's the problem - but PreparedStatement doesn't seem to help - I've just tried it and if I have a string that is:
this is a test
the insert works but if I have a string that is
this is a ' test
no insert occurs. Maybe I should take this to the JDBC forum?
Rachel
 
Barry Gaunt
Ranch Hand
Posts: 7729
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, Rachel, I don't have JDBC on this system, and besides it's late... back tomorrow. . I hope you get some help here in the meantime.
 
Dirk Schreckmann
Sheriff
Posts: 7023
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
PreparedStatement is the easy way to go. It will escape characters properly for you. Perhaps you didn't use it correctly in your earlier attempt.
Following is a simple example of using a PreparedStatement to insert a new entry (containing an apostrophe) into a table named stores. The table stores contains three varchar columns: an id number, a first name, and a last name (it's just an example use of PreparedStatement).
 
Barry Gaunt
Ranch Hand
Posts: 7729
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have just tried this with mysql and JDBC and I see that the inserted record has single and double quotes escaped by backslashes.
 
Rachel Andrew
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you - got it working
Rachel
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic