What's the proper technique for handling special characters (", ') input by a user in a text field or text area for database entry? SQL kicks them out as errors when trying to enter.
The information I've read has been a little bit inconsistent. A seemingly platform/database independent solution that I've seen some people use is to escape the single quote with another single quote. So, ' becomes '' . A more complete solution, so that you don't have to worry about what characters to escape and whether it would work on all platforms/databases, would be to use a PreparedStatement - but I don't know what the nitpicker is looking for.
What is escape manually mean? I can't expect users to enter anything other than the literal entry data. Does this mean I should monitor and alter their input to suit the programming syntax?
I wrote a method: validSQL You decide wether you use ins SQL ' or " as string delimiter, (I did "). Then the method replaces the 'wrong' ones by the html escape character b.v. a " becomes " etc. Hope this helps.