How to escape single quote in sql which is causing' quoted string not properly terminated '?

Question

I am trying to read terms from a database (>10K) and I'm using that term in another query. I'm getting the following error in Oracle:

quoted string not properly terminated'

I did

term.replaceAll("'", "\\'");

but that doesn't seem to do the job from me. Besides, these terms are tokens from documents when they are converted to text. Is there a regular expression that can overcome this problem?

The exact SQL query is:

String sql = "Select * from indexDB where (DocID=" + d.getDocId() + "and Term='" + term + "')";

I'm using Java. The replacement doesn't work for me.

You need to read up on [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) — Oded, Jul 27 '12 at 18:48
See also http://bobby-tables.com/ for details on how to use parameterized queries in whatever language you're using. This will protect you from SQL injection that Oded referred to. — Andy Lester, Jul 27 '12 at 18:51
Yeah went through it and parameterized query did it !! Thanks so much ! — Aashima, Jul 27 '12 at 20:18

score 38 · Accepted Answer · answered Jul 27 '12 at 18:45

38

You can escape a single quote by repeating it:

term.replaceAll("'","''");

An even better option would be a parameterized query. For an example, we'd have to know your client language.

answered Jul 27 '12 at 18:45

Andomar

232,371
49
380
404

More special characters in ***Oracle***, no only the _character_ **'** ? – Kiquenet May 31 '17 at 13:35

How to escape single quote in sql which is causing' quoted string not properly terminated '?

1 Answers1