Thread: Escaping strings?
What is the proper way to insure a text string (i.e. one read from a JTextField.getText()) is propery escaped? I assumed the JDBC driver would do this automatically, but it does not. An ' character will cause the JDBC driver to throw an exception.
Use the setString() method of PreparedStatement and it will escape things for you. Tom. On Mon, 2002-11-04 at 11:06, Timothy Reaves wrote: > What is the proper way to insure a text string (i.e. one read from a > JTextField.getText()) is propery escaped? I assumed the JDBC driver would > do this automatically, but it does not. An ' character will cause the > JDBC driver to throw an exception. > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html -- Thomas O'Dowd, CEO, Nooper.com - Mobile Services Inc., Tokyo, Japan i-mode & FOMA consulting, development, testing: http://nooper.co.jp/
Unfortunatly I can not do that, as the entire sql string is dynamically
generated. Is there no parseString() or escapeString() method? If not,
what charachers need escaping?
Thanks!
On 04 Nov 2002 11:14:00 +0900
"Thomas O'Dowd" <tom@nooper.com> wrote:
> Use the setString() method of PreparedStatement and it will escape
> things for you.
>
> Tom.
>
> On Mon, 2002-11-04 at 11:06, Timothy Reaves wrote:
> > What is the proper way to insure a text string (i.e. one read from
> > a
> > JTextField.getText()) is propery escaped? I assumed the JDBC driver
> > would do this automatically, but it does not. An ' character will
> > cause the JDBC driver to throw an exception.
> >
> > ---------------------------(end of
> > broadcast)--------------------------- TIP 5: Have you checked our
> > extensive FAQ?
> >
> > http://www.postgresql.org/users-lounge/docs/faq.html
> --
> Thomas O'Dowd, CEO, Nooper.com - Mobile Services Inc., Tokyo, Japan
> i-mode & FOMA consulting, development, testing: http://nooper.co.jp/
>
You need to escape \ and ' but using setString() is the most portable
way of doing it. Escape them both with \. Something like this...
StringBuffer sbuf = new StringBuffer();
for(i = 0; i < str.length(); i++)
{
char c = str.charAt(i);
if(c == '\\' || c == '\'')
sbuf.append((char)'\\');
sbuf.append(c);
}
Cheers,
Tom.
On Mon, 2002-11-04 at 11:35, Timothy Reaves wrote:
> Unfortunatly I can not do that, as the entire sql string is dynamically
> generated. Is there no parseString() or escapeString() method? If not,
> what charachers need escaping?
>
> Thanks!
>
> On 04 Nov 2002 11:14:00 +0900
> "Thomas O'Dowd" <tom@nooper.com> wrote:
>
> > Use the setString() method of PreparedStatement and it will escape
> > things for you.
> >
> > Tom.
> >
> > On Mon, 2002-11-04 at 11:06, Timothy Reaves wrote:
> > > What is the proper way to insure a text string (i.e. one read from
> > > a
> > > JTextField.getText()) is propery escaped? I assumed the JDBC driver
> > > would do this automatically, but it does not. An ' character will
> > > cause the JDBC driver to throw an exception.
> > >
> > > ---------------------------(end of
> > > broadcast)--------------------------- TIP 5: Have you checked our
> > > extensive FAQ?
> > >
> > > http://www.postgresql.org/users-lounge/docs/faq.html
> > --
> > Thomas O'Dowd, CEO, Nooper.com - Mobile Services Inc., Tokyo, Japan
> > i-mode & FOMA consulting, development, testing: http://nooper.co.jp/
> >
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
--
Thomas O'Dowd, CEO, Nooper.com - Mobile Services Inc., Tokyo, Japan
i-mode & FOMA consulting, development, testing: http://nooper.co.jp/
I think you also have to escape underscore(_).
-----Original Message-----
From: pgsql-jdbc-owner@postgresql.org
[mailto:pgsql-jdbc-owner@postgresql.org]On Behalf Of Thomas O'Dowd
Sent: Sunday, November 03, 2002 6:53 PM
To: Timothy Reaves
Cc: pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] Escaping strings?
You need to escape \ and ' but using setString() is the most portable
way of doing it. Escape them both with \. Something like this...
StringBuffer sbuf = new StringBuffer();
for(i = 0; i < str.length(); i++)
{
char c = str.charAt(i);
if(c == '\\' || c == '\'')
sbuf.append((char)'\\');
sbuf.append(c);
}
Cheers,
Tom.
On Mon, 2002-11-04 at 11:35, Timothy Reaves wrote:
> Unfortunatly I can not do that, as the entire sql string is dynamically
> generated. Is there no parseString() or escapeString() method? If not,
> what charachers need escaping?
>
> Thanks!
>
> On 04 Nov 2002 11:14:00 +0900
> "Thomas O'Dowd" <tom@nooper.com> wrote:
>
> > Use the setString() method of PreparedStatement and it will escape
> > things for you.
> >
> > Tom.
> >
> > On Mon, 2002-11-04 at 11:06, Timothy Reaves wrote:
> > > What is the proper way to insure a text string (i.e. one read from
> > > a
> > > JTextField.getText()) is propery escaped? I assumed the JDBC driver
> > > would do this automatically, but it does not. An ' character will
> > > cause the JDBC driver to throw an exception.
> > >
> > > ---------------------------(end of
> > > broadcast)--------------------------- TIP 5: Have you checked our
> > > extensive FAQ?
> > >
> > > http://www.postgresql.org/users-lounge/docs/faq.html
> > --
> > Thomas O'Dowd, CEO, Nooper.com - Mobile Services Inc., Tokyo, Japan
> > i-mode & FOMA consulting, development, testing: http://nooper.co.jp/
> >
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
--
Thomas O'Dowd, CEO, Nooper.com - Mobile Services Inc., Tokyo, Japan
i-mode & FOMA consulting, development, testing: http://nooper.co.jp/
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
Hmmm... I had no idea :) Actually, I just had a look at the driver code
behind setString(). It actually looks pretty similar to what I wrote
earlier and doesn't escape the '_' as far as I can see.
synchronized (sbuf)
{
sbuf.setLength(0);
sbuf.ensureCapacity(x.length());
int i;
sbuf.append('\'');
for (i = 0 ; i < x.length() ; ++i)
{
char c = x.charAt(i);
if (c == '\\' || c == '\'')
sbuf.append((char)'\\');
sbuf.append(c);
}
sbuf.append('\'');
bind(parameterIndex, sbuf.toString(), type);
}
Does the '_' need to be escaped? Why? If so, the driver code should be
updated I guess.
Tom.
On Mon, 2002-11-04 at 12:10, Chris White wrote:
> I think you also have to escape underscore(_).
Just curious....
Does Oracle accept escaping a ' with \'
Or do you have to escape a ' with '' in Oracle?
Paul
-----Original Message-----
From: pgsql-jdbc-owner@postgresql.org
[mailto:pgsql-jdbc-owner@postgresql.org]On Behalf Of Thomas O'Dowd
Sent: Sunday, November 03, 2002 7:32 PM
To: Chris White
Cc: Timothy Reaves; pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] Escaping strings?
Hmmm... I had no idea :) Actually, I just had a look at the driver code
behind setString(). It actually looks pretty similar to what I wrote
earlier and doesn't escape the '_' as far as I can see.
synchronized (sbuf)
{
sbuf.setLength(0);
sbuf.ensureCapacity(x.length());
int i;
sbuf.append('\'');
for (i = 0 ; i < x.length() ; ++i)
{
char c = x.charAt(i);
if (c == '\\' || c == '\'')
sbuf.append((char)'\\');
sbuf.append(c);
}
sbuf.append('\'');
bind(parameterIndex, sbuf.toString(), type);
}
Does the '_' need to be escaped? Why? If so, the driver code should be
updated I guess.
Tom.
On Mon, 2002-11-04 at 12:10, Chris White wrote:
> I think you also have to escape underscore(_).
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
http://www.postgresql.org/users-lounge/docs/faq.html
You are right you don't need to escape the underscore.
-----Original Message-----
From: pgsql-jdbc-owner@postgresql.org
[mailto:pgsql-jdbc-owner@postgresql.org]On Behalf Of Paul Stead
Sent: Sunday, November 03, 2002 8:07 PM
To: pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] Escaping strings?
Just curious....
Does Oracle accept escaping a ' with \'
Or do you have to escape a ' with '' in Oracle?
Paul
-----Original Message-----
From: pgsql-jdbc-owner@postgresql.org
[mailto:pgsql-jdbc-owner@postgresql.org]On Behalf Of Thomas O'Dowd
Sent: Sunday, November 03, 2002 7:32 PM
To: Chris White
Cc: Timothy Reaves; pgsql-jdbc@postgresql.org
Subject: Re: [JDBC] Escaping strings?
Hmmm... I had no idea :) Actually, I just had a look at the driver code
behind setString(). It actually looks pretty similar to what I wrote
earlier and doesn't escape the '_' as far as I can see.
synchronized (sbuf)
{
sbuf.setLength(0);
sbuf.ensureCapacity(x.length());
int i;
sbuf.append('\'');
for (i = 0 ; i < x.length() ; ++i)
{
char c = x.charAt(i);
if (c == '\\' || c == '\'')
sbuf.append((char)'\\');
sbuf.append(c);
}
sbuf.append('\'');
bind(parameterIndex, sbuf.toString(), type);
}
Does the '_' need to be escaped? Why? If so, the driver code should be
updated I guess.
Tom.
On Mon, 2002-11-04 at 12:10, Chris White wrote:
> I think you also have to escape underscore(_).
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
http://www.postgresql.org/users-lounge/docs/faq.html
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://archives.postgresql.org