jdbc dymanic sql query with variable containg 's

Question

I have asked this beacause i was not able to find the answer.

what i am doing is

 String selectTableSQL = "SELECT * FROM diseaseinfo WHERE diseaseName =""+diseaseName +'" AND name = '"+username+"'";

it is perfecty running unless and until diseases does not contain 's type of word like

Wilms' tumor

Addison's disease

etc....

so query like

SELECT * FROM diseaseinfo WHERE diseaseName = 'Adult Still's disease' AND name = 'add';

wont execute because of ' 's on 'Adult Still's

and also in java i cant start string with String selectTableSQL = ' '; it will always be in String selectTableSQL = " ";

any solution?

Write a correct string escape utility? [`StringEscapeUtils.escapeSql(String)`](http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringEscapeUtils.html#escapeSql%28java.lang.String%29) (note that this is so non-trivial that the method has been removed from more recent versions of `StringEscapeUtils`). — Elliott Frisch, May 12 '17 at 16:03
Hi @ElliottFrisch can you help me with this http://stackoverflow.com/questions/43957497/dynamic-column-name-using-preparestatement-sql-query-with-variable-containg-s — Aman, May 13 '17 at 20:13

score 0 · Answer 1 · answered May 12 '17 at 15:53

0

The correct way to use queries in JDBC is to use PreparedStatement and bind variables.

But in your case, try replacing the single quotes ' in your values with \'.

You can use a simple diseaseName.replace("'", "\\'"); to do it.

answered May 12 '17 at 15:53

Jerin Joseph

1,087
9
17

score 0 · Accepted Answer · edited Sep 27 '17 at 20:28

0

To avoid this case and any syntax error or SQL Injection you have to use PreparedStatement instead :

String selectTableSQL = "SELECT * FROM diseaseinfo WHERE col1 = ? and col2 = ?";
try (PreparedStatement ps = connection.prepareStatement(selectTableSQL)) {

    ps.setString(1, value_1);
    ps.setString(2, value_2);
    ResultSet rs = ps.executeQuery();
    while(rs.next()){
        //...
    }
}

edited Sep 27 '17 at 20:28

Graham

7,431
18
59
84

answered May 12 '17 at 15:55

Youcef LAIDANI

55,661
15
90
140

and what is `rs` in rs = ps.executeQuery(); there? – Aman May 12 '17 at 15:58
it is `ResultSet` to get results i already edit my answer @doe – Youcef LAIDANI May 12 '17 at 16:00

jdbc dymanic sql query with variable containg 's

2 Answers2

Linked