• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Proper technique for special characters

 
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What's the proper technique for handling special characters (", ') input by a user in a text field or text area for database entry? SQL kicks them out as errors when trying to enter.
 
Sheriff
Posts: 7023
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The information I've read has been a little bit inconsistent. A seemingly platform/database independent solution that I've seen some people use is to escape the single quote with another single quote. So, ' becomes '' .
A more complete solution, so that you don't have to worry about what characters to escape and whether it would work on all platforms/databases, would be to use a PreparedStatement - but I don't know what the nitpicker is looking for.
 
Dirk Schreckmann
Sheriff
Posts: 7023
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Update: It would appear that using a PreparedStatement is not necessary for these assignments - just escape "manually".
 
Darryl Failla
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What is escape manually mean? I can't expect users to enter anything other than the literal entry data. Does this mean I should monitor and alter their input to suit the programming syntax?
 
Ranch Hand
Posts: 424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wrote a method: validSQL
You decide wether you use ins SQL ' or " as string delimiter, (I did ").
Then the method replaces the 'wrong' ones by the
html escape character b.v. a " becomes "
etc.
Hope this helps.
 
Dirk Schreckmann
Sheriff
Posts: 7023
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does this mean I should monitor and alter their input to suit the programming syntax?
That's what I meant.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic