does not recognize query string containing '
I am querying some data from the database and inserting data. Whenever the user inserts开发者_Go百科 with ' I have a problem that the query does not regconize.
How can I get rid of that? should I use: string.replace(''', '"')
? or any other trick?
Thanks in advance.
You should be using parameterized queries. It's dangerous to insert unprocessed user input on a query, it's an open door to SQL-Injection attacks.
Those are queries in the form
SELECT * FROM USERS where USER_ID = ?
The value of ?
is set programmatically with a query.setString(1, userId)
call, and the driver takes care of escaping everything correctly. It's not a burden you want to have on your shoulders.
Besides to what Xavi López has posted (and you really should keep that in mind), to have a single quote in a string you need to write two single quotes, e.g.:
myString := 'I''m writing an answer';
This represents the string I'm writing an answer
.
精彩评论