0

In a page i have a multiple text boxes , where users can enter any sort of data.

I used h:inputTextarea tag.

JSP/JSF:

<h:inputTextarea style="width:100%" value="#{abc.remark}"  id="remarks" />

Java:

  public String getRemark() {
        return remark;
    }

    public void setRemark(String remark) {
        this.remark= remark;
    }

and 

insert into table1 ('Remarks','Other') values (this.getRemark() + "','"+this.getOther());

It works almost, but whenever user tries to enter single quote in remarks like

John's income is Good

it breaks down and throws java.sql.SQLSyntaxErrorException: ORA-00917: missing comma.

Query Screenshot from log:

enter image description here

Need resolution.

Jasper de Vries
  • 19,370
  • 6
  • 64
  • 102
  • As you can see, your issue is not java, jsf, jsf or richtextarea related (you could have known since it correctly arrives on the server from your client). Inserting in the database fails... – Kukeltje Apr 24 '17 at 08:46
  • Its not a duplicate.. how do you explain the users to enter John''s income is good? –  Apr 24 '17 at 08:50
  • 1
    That's not the solution. You should replace ' with '' in the values before inserting them. – Jasper de Vries Apr 24 '17 at 08:51
  • 2
    Other solution is to use parameters: [Java - escape string to prevent SQL injection](http://stackoverflow.com/questions/1812891/java-escape-string-to-prevent-sql-injection) – Jasper de Vries Apr 24 '17 at 08:52
  • 2
    Use StringEscapeUtils.escapeSQL method, it will do the needful – Neha Shettar Apr 24 '17 at 09:14
  • 1
    @NehaShettar That is extremely bad advice, people should not be using escaping kludges, the should be using prepared statements with parameters. – Mark Rotteveel Apr 24 '17 at 12:41

0 Answers0