How to correct format a string to prevent against invalid characters in a statement?

Question

If a variable contains a ', it will throw a mysqlsyntaxerror exception when attempting to execute a statement.

Is there a simple way around this, or whether you must write a method removing all characters that may interrupt the statement and put each variable through it before executing?

Use prepared statements. https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html — JB Nizet, Jul 21 '19 at 16:33
Specifically, use **query parameters** instead of string-concatenation to form SQL statements. But you have to use prepared statements to use query parameters. — Bill Karwin, Jul 21 '19 at 17:30

score 3 · Accepted Answer · answered Jul 21 '19 at 16:34

This is one of the reasons to use prepared statement

first benefit of using a PreparedStatement is you can take advantage of the multitude of .setXYZ() methods, such as .setString(), which allows your code to automatically escape special characters such as quotations within the passed in SQL statement

How to correct format a string to prevent against invalid characters in a statement?

1 Answers1