I am relatively new to JSP and am trying to make a form to insert some articles my friends and I are writing. The problem is when I try to insert an apostrophe into my form it causes an error in my JSP. I have read some things on escape characters and such but I am a little confused. I have also tried using tinyMCE so I can keep the punctation for my articles but that seems to present problems because it is inserting special characters to form the HTML. I tried using an escapeXML string for my input but when I display the page all the characters are escaped. What should I do? Is there a setting in MySQL or is there some kind of easy little trick I am overlooking? Please advise...
Thank you so much for your consideration and help!!!
Why do you say I should only use JSP for the MVC? With all due respect, I don't understand why they would make all kinds of tools to access a database from JSP using services such as the SQL portion of JSTL if you were to only supposed to use JSP for the MVC. Additionally, how would I use the prepared statement to fix the problem of things like apostrophes. Like I said I am new to JavaServlets and JSP so I am just trying to figure out how all this stuff works. My reference material is all in book for with people who all have differing opinions of how you should use this kind of technology. Thank you for your prompt response.
(skipping the MVC part, and reverting to the original question)
Additionally, how would I use the prepared statement to fix the problem of things like apostrophes.
Moojid has pointed you to the right approach.
if you create an SQL statement with PreparedStatement, you bind your values to the query, in stead of inserting them.
Magically, all your apostrophe problems are gone. No escapes hassle or anything.
It's not difficult. Give it a try.
According to my JavaDocs for JSTL all SQL executions are done in a PreparedStatement. Here is the following information from the Javadoc:
public interface SQLExecutionTag
This interface allows tag handlers implementing it to receive values for parameter markers in their SQL statements.
This interface is implemented by both <sql:query> and <sql:update>. Its addSQLParameter() method is called by nested parameter actions (such as <sql:param>) to substitute PreparedStatement parameter values for "?" parameter markers in the SQL statement of the enclosing SQLExecutionTag action.
The given parameter values are converted to their corresponding SQL type (following the rules in the JDBC specification) before they are sent to the database.
Keeping track of the index of the parameter values being added is the responsibility of the tag handler implementing this interface
The SQLExcecutionTag interface is exposed in order to support custom parameter actions which may retrieve their parameters from any source and process them before substituting them for a parameter marker in the SQL statement of the enclosing SQLExecutionTag action
How is it that the JSTL method would have issues inserting?