1

I have to process some parameter that is passed in as a quoted SQL string and then quote it again. I am wondering is there any utility in Hibernate or JDBC or some common Java library that can do the unquoting bit?

(Otherwise I guess I can do str.replace("''","'"). Is this correct?)

Edit:

Just some background. I am trying to add functionality to Hibernate. The Hibernate class I am overriding receives its argument as quoted strings. I have no access to the original argument submitted for the bind variable (without rewrite a number of Hibernate classes).

Colin 't Hart
  • 7,372
  • 3
  • 28
  • 51
billc.cn
  • 7,187
  • 3
  • 39
  • 79
  • 1
    no. you cant. what if your String is "select from eople where firstname = 'bob'" ? – radai Mar 08 '13 at 18:00
  • 1
    Hmmm, that really smells like a design issue. Strings should not be SQL-quoted, and certainly not to pass them to another method. – JB Nizet Mar 08 '13 at 18:00
  • Yes. This will do for unquoting. Why don't you try all this yourself? – Rachcha Mar 08 '13 at 18:00
  • @radai Sorry for not being clear, but the argument is just the String, not the whole query. I am requoting it again after the operation. @ JBNizet I am trying to extend an external package. I would not do it this way if there's better way to do it. @ Rachcha It's all those SQL injection stuff you know. I have to know there isn't any other cases. – billc.cn Mar 08 '13 at 18:04
  • 1
    http://stackoverflow.com/questions/3537706/howto-unescape-a-java-string-literal-in-java – hyde Mar 08 '13 at 18:15
  • @billc.cn - still wont wok, suppose you get just the argument from something like "select restaurant from restaurants where name = 'bob\'s diner'". if any, i'd trim() 1st and then see if the very 1st and very last characters are quotes instead of replacing all the quotes – radai Mar 08 '13 at 18:25

1 Answers1

2

Just don't quote the String object.

there is an issue with your design, you should not be receiving it already quoted, if under any circumstance you need it quoted (avoid that), do it before you are going to use it.

for the JDBC side, you can always do the following, so you don't need SQL quoted strings:

String query ="select myColumn from MyTable where fullname = ?";
PreparedStatement stm = c.prepareStatement(query);
stm.setString(1, "Garis M. Suero");

It's a very good practice to design your software in a simple way in order to mitigate future confusions and errors when developers are coding your software.

For example, if you are receiving this from a third party software you can make an object that will take the string and convert it to the correct value, and maybe have two methods, one 'getValue()and another:getQuotedValue()`

Garis M Suero
  • 7,974
  • 7
  • 45
  • 68