MySQL syntax error when string input contains quotation marks

Question

When I submitted the form to my JDBC connection page it gives an error. I submitted the form with a data like this

It's wrong

It gives an error as shown below

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's wrong' IN BOOLEAN MODE) and bot2=1' at line 1

My code is

       String Query="SELECT * FROM ques WHERE MATCH(subject) AGAINST('"+vv+"' IN BOOLEAN MODE)  and bot2=1";
       Class.forName("com.mysql.jdbc.Driver");
       conn=DriverManager.getConnection("jdbc:mysql://localhost:3306                   /wst","manohar","manohar");
       stmt=conn.prepareStatement(Query);
       rs=stmt.executeQuery(Query);
       while(rs.next())
         {
            ....
         }

score 2 · Answer 1 · answered Mar 25 '14 at 18:33

Try this instead:

String Query="SELECT * FROM ques WHERE MATCH(subject) AGAINST(? IN BOOLEAN MODE)  and bot2=1";
conn=DriverManager.getConnection("jdbc:mysql://localhost:3306/wst","manohar","manohar");
stmt=conn.prepareStatement(Query);
stmt.setString(1, vv);
rs=stmt.executeQuery();

The technique is called a "parameterized query" and it offers several advantages, one of which is that you don't have to worry about escaping special characters in string parameters.

score 0 · Answer 2 · edited May 23 '17 at 12:05

0

that's because you are not escaping the string in your query.

I think you could find this thread usefull: Java - escape string to prevent SQL injection

edited May 23 '17 at 12:05

Community

1
1

answered Mar 25 '14 at 18:34

FanaticD

1,416
4
20
36

MySQL syntax error when string input contains quotation marks

2 Answers2