Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

apostrophe in text

Status
Not open for further replies.
lespaul

lespaul

Programmer
Feb 4, 2002
7,083
US
So we have a web page that has a text box where the user can enter something like:
[tt]
Short Description: [highlight white]Judge's Orders[/highlight]
[/tt]

however when that gets input into the update query string:

[tt]strSQL = "Update TableName Set ShortDesc = '" + shortDesc + "'"[/tt]

it doesn't work. We've tried replacing it with an escape character, but that doesn't do what we need either. What we need is to be able to capture and enter apostrophe's in the database.

I'm sure someone has solved this, I just can't find the solution....any assistance?

Thanks!

Leslie

Have you met Hardy Heron?
 
Sort by date Sort by votes
Need to use two apostrphes...

Code: 
shortDesc = document.getElementById("textBoxId").value;
shortDesc = theShortDesc.replace(/'/g,\'\');

My regex is rusty if you couldn't tell, but that should give you a jump start... I hope.
 
Upvote 0 Downvote
Okay... I am a moron. For some reason I thought I was in the JavaScript forum.

But you can use the <str:replace> tag to do the same thing I believe.
 
Upvote 0 Downvote
ok I'll pass that along to the developer who's working on it Monday and we'll give it a shot!
I'll let you know.

Leslie
 
Upvote 0 Downvote
There is another way to solve and it needs more modification but it is more secure.
If you use preparedstatement, Java will escape(handle) all the control character like apostrophe, question mark...automatically.
Code: 
private myUpdate(Connection con, String description, String idFound){
try{
    ResultSet rs = null;
    String sql = "Update TableName Set ShortDesc = ? where         id=?";
    PreparedStatement ps = con.prepareStatement(sql);
    ps.setString(1,description);
    ps.setString(2,idFound);
    PreparedStatement ps = con.prepareStatement();
    rs = ps.executeUpdate();
}
catch (Exception e){
      e.printStackTrace();
      }
}
 
Upvote 0 Downvote
Code: 
private void myUpdate(Connection con, String description, String idFound){
try{
    ResultSet rs = null;
    String sql = "Update TableName Set ShortDesc = ? where         id=?";
    PreparedStatement ps = con.prepareStatement(sql);
    ps.setString(1,description);
    ps.setString(2,idFound);
    PreparedStatement ps = con.prepareStatement();
    rs = ps.executeUpdate();
}
catch (Exception e){
      e.printStackTrace();
      }
}
 
Upvote 0 Downvote
Prosper has the right solution in my opinion. As an additional measure, I'd suggest creating a (or using an already existing) method to escape special characters. This can be beneficial for saving to the database (preventing SQL injection), as well as helping to prevent creation of malicious code (Cross site scripting).

-----------------------------------------
I cannot be bought. Find leasing information at
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

vanimca
  • Locked
  • Question
Registration page with take picture in webcam snapshot in java
Replies
1
Views
134
Diancecht
Diancecht
HemanthaNet
  • Locked
  • Article
Suppose to develope the Tender post project in Srping MVC
Replies
0
Views
96
HemanthaNet
HemanthaNet
mukeshvishwas
  • Locked
  • Question
How to create &quot;.view&quot; extension file in j2ee
Replies
1
Views
136
Diancecht
Diancecht
rach18
  • Locked
  • Question
Problem with executing ssh in JSP
Replies
1
Views
119
Diancecht
Diancecht
capellone2
  • Locked
  • Question
Set form property in jsp
Replies
1
Views
123
Diancecht
Diancecht

Part and Inventory Search

Sponsor

Back
Top