In my servlet i have a database insert code which depends on a request parameter. If I enter the " ' " character in the text box it results in SQLException because the string is terminated from that point. In order to allow the " ' " key what should i do? Should I need to block the key or replace it with " \' " character or is there any mechanism to handle it.
[ August 03, 2007: Message edited by: Dilshan Edirisuriya ]
[ August 03, 2007: Message edited by: Dilshan Edirisuriya ] [ August 03, 2007: Message edited by: Dilshan Edirisuriya ]
I havent used PreparedStatement at all in my code. I have used Statement object instead of that. I think it is hard to change the coding now because there are around 150 classes that use that. So wt should i do? Is it okay if i use StringEscapeUtils class to cope up with that.
I'm not familiar with that library but you will need to insure, somehow that, SQL code entered by a user can never be run in your statements.
In particular, you'll need to make sure that words like UPDATE, DELETE, INSERT, and SELECT are always escaped. [ August 07, 2007: Message edited by: Ben Souther ]
Joined: Jun 26, 2007
go through this Preventing sql injection, Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver. Even from performance point of view prepared statments are faster than the ones the you use. Hope this helps