I'm inserting a record in oracle database, where I'm taking values from a java bean. It goes like this::
insert into allergy (patient_id, allergy, reaction) values(seq_patient.nextval, '" + bean.getPatient_allergy() + "', '"+ bean.getReaction()+"')";
But the values for allergy can gave an apostrophe which causes the sql to fail w开发者_如何学Cith ORA-00917: missing comma. is there any way to overcome this problem?
Use parameterized statements instead of injecting variables into a query:
http://download.oracle.com/javase/tutorial/jdbc/basics/prepared.html
It's better to use bind variables in preference to building your query as a string.
That'll take care of your problem. It will also prevent SQL injection attacks (also, see Bobby Tables).
Here is some info on how to use prepared statements and bind variables in Java: link.
How about using parameterized query instead of assembling the INSERT
command? Tha would also fix your current SQL Injection vulnerability.
精彩评论