This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes JDBC and the fly likes Mysql/prepareStatement/' Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Mysql/prepareStatement/ Watch "Mysql/prepareStatement/ New topic
Author

Mysql/prepareStatement/'

Miran Cvenkel
Ranch Hand

Joined: Nov 23, 2010
Posts: 147
look at 'Equiseti''



Should not prepareStatement eliminate problems with ' ?


Searchable nature photo gallery: http://agrozoo.net/jsp/Galery.jsp?l2=en
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3606
    
  60

Not when it is used incorrectly, that is, in the same way as the regular Statement.

Please have a look at the PreparedStatement API and the JDBC tutorial. The trick is that you do not put the values into the text of the statement itself, but replace them with question marks (?) and use proper setXxxx methods (eg. setString) to set their values. When used this way, you don't need to handle any special characters.
Miran Cvenkel
Ranch Hand

Joined: Nov 23, 2010
Posts: 147
Thanks.

I suspected that is so, I find parametrizied query very annoying, hence, here I'm.
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3606
    
  60

Even if the parametrizing is annoying, it is still much less annoying than handling all the data types (escaping the string, converting the dates and so on) correctly, especially as various database dialects tend to differ in these aspects.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Mysql/prepareStatement/'
 
Similar Threads
Jdbc Prepared Statement execute()
help! perhaps the problems of configuration of JDBC on Weblogic
Callable statement syntax
Can i use preparestatement's addBatch() to batch exec multiple sql statements?
prepareStatement()