What method to use for escaping all escapable characters

Question

I have trouble with my database: I need to prepare my insert commands for any kind of escape characters like " ' ? /. I could encode them using the key that I have written, but since this takes a small portion of time to calculate and insert, I'd like to know if there is any kind of insert that doesn't collide?

I'm currently using this

String selectSQL2 = "SELECT * FROM "+postid+" WHERE name="+"'"+name+"'";

ResultSet tableExistance = null;
tableExistance = conn.prepareStatement(selectSQL2).executeQuery(selectSQL2);

appearantly ur right, put it as answer please – user3597152 Jan 03 '15 at 13:57 — user3597152, Jan 03 '15 at 13:57

Reimeus · Accepted Answer · 2015-01-03T14:02:47.970

1

PreparedStatement will handle the escaping of characters (except for reserved word escaping) but you will need to use the correct version of executeQuery

PreparedStatement statement = 
                conn.prepareStatement("SELECT * FROM tablename WHERE name=?");
statement.setString(1, "Foo");
ResultSet tableExistance = statement.executeQuery();

edited Jan 03 '15 at 14:02

answered Jan 03 '15 at 13:56

Reimeus

158,255
15
216
276

What method to use for escaping all escapable characters

1 Answers1