开发者

what is the escape oracle sql sequence while inserting a record?

开发者 https://www.devze.com 2023-04-06 05:58 出处:网络
I\'m inserting a record in oracle database, where I\'m taking values from a java bean. It goes like this::

I'm inserting a record in oracle database, where I'm taking values from a java bean. It goes like this::

insert into allergy (patient_id, allergy, reaction) values(seq_patient.nextval, '" + bean.getPatient_allergy() + "', '"+ bean.getReaction()+"')";

But the values for allergy can gave an apostrophe which causes the sql to fail w开发者_如何学Cith ORA-00917: missing comma. is there any way to overcome this problem?


Use parameterized statements instead of injecting variables into a query:

http://download.oracle.com/javase/tutorial/jdbc/basics/prepared.html


It's better to use bind variables in preference to building your query as a string.

That'll take care of your problem. It will also prevent SQL injection attacks (also, see Bobby Tables).

Here is some info on how to use prepared statements and bind variables in Java: link.


How about using parameterized query instead of assembling the INSERT command? Tha would also fix your current SQL Injection vulnerability.

0

精彩评论

暂无评论...
验证码 换一张
取 消