发表新帖
发表新帖

How to escape single quotes for SQL insert…when string to insert is in a user generated variable

前端 未结
关注
3 1178
无人及你
无人及你 2020-12-05 23:48

I am building an insert command to execute using jdbc. Part of it is to concatenate a user generated string...this all works until the user uses a string like this:

相关标签:
3条回答
  • 佛祖请我去吃肉
    2020-12-06 00:21

    You can do either of the below:

    1. Use the PreparedStatement class. (Recommended)

      String userString="a'bcd";
String myStatement = " INSERT INTO MYTABLE (INSERTCOLUMN) VALUES (?)";
PreparedStatement statement= con.prepareStatement   (myStatement );
statement.setString(1,userString);
statement.executeUpdate();

    2. Escape the single quotes.

      In SQL, single quotes will be escaped by using double single quotes. ' --> ''

      String userString="a'bcd";
String changedUserString = userString.replace("'","''");
        //changedUserString  = a''bcd
String insertTableSQL = "INSERT INTO myTable (insertColumn) VALUES("
                        +" '"+changedUserString +"' )";
    0 讨论(0)
  • 眼角桃花
    2020-12-06 00:31

    You can use StringEscapeUtils from the Apache Commons Lang library. Using this you can escape characters from html, xml, sql, etc. Look for method escapeXXX for your purpose. For reference: When i need to escape Html string?

    note: escapeSql was removed in Apache Commons Lang 3 (see Migrating StringEscapeUtils.escapeSql from commons.lang which references https://commons.apache.org/proper/commons-lang/article3_0.html#StringEscapeUtils.escapeSql)

    Eg:

    String str = FileUtils.readFileToString(new File("input.txt"));
        String results = StringEscapeUtils.escapeHtml(str);
        System.out.println(results);

    Input:

    <sometext>
Here is some "Text" that I'd like to be "escaped" for HTML
& here is some Swedish: Tack. Vars?god.
</sometext>

    Output:

    &lt;sometext&gt;
Here is some &quot;Text&quot; that I'd like to be &quot;escaped&quot; for HTML
&amp; here is some Swedish: Tack. Vars&aring;god.
&lt;/sometext&gt;
    0 讨论(0)
  • 臣服心动
    2020-12-06 00:41

    Here's another option:

    Use a native Android method designed for exactly this purpose:

    DatabaseUtils.sqlEscapeString(String)

    Here is the documentation for it online:

    • sqlEscapeString() on Android Developers

    The main advantage of using this method, in my opinion, is the self-documentation because of the clear method name.

    String userString="a'bcd";
String insertTableSQL = "INSERT INTO myTable "
                            + "(insertColumn) " 
                            + "VALUES("
                                +"'"+DatabaseUtils.sqlEscapeString(userString)+"'"
                                +")";

statement.executeUpdate(insertTableSQL);
    0 讨论(0)
 看不清?
提交回复
热议问题