This week's book giveaways are in the Refactoring and Agile forums.
We're giving away four copies each of Re-engineering Legacy Software and Docker in Action and have the authors on-line!
See this thread and this one for details.
Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Mysql/prepareStatement/'

 
Miran Cvenkel
Ranch Hand
Posts: 196
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
look at 'Equiseti''



Should not prepareStatement eliminate problems with ' ?
 
Martin Vajsar
Sheriff
Pie
Posts: 3751
62
Chrome Netbeans IDE Oracle
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not when it is used incorrectly, that is, in the same way as the regular Statement.

Please have a look at the PreparedStatement API and the JDBC tutorial. The trick is that you do not put the values into the text of the statement itself, but replace them with question marks (?) and use proper setXxxx methods (eg. setString) to set their values. When used this way, you don't need to handle any special characters.
 
Miran Cvenkel
Ranch Hand
Posts: 196
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.

I suspected that is so, I find parametrizied query very annoying, hence, here I'm.
 
Martin Vajsar
Sheriff
Pie
Posts: 3751
62
Chrome Netbeans IDE Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Even if the parametrizing is annoying, it is still much less annoying than handling all the data types (escaping the string, converting the dates and so on) correctly, especially as various database dialects tend to differ in these aspects.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic