On Mon, 19 Aug 2002 ngpg@grymmjack.com wrote:
> $input = "user'name";
> INSERT INTO db (name) VALUES ('$input');
>
> will fail because the ' in the input needs to be escaped with a
> backslash.
It will fail because you're doing this a very, very, very bad way.
Why rewrite this kind of stuff when the vendor has already made
correct code available?
PreparedStatement stmt = connection.prepareStatement("INSERT INTO db (name) VALUES (?)");
stmt.setString("user'name"); stmt.execute();
cjs
--
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org Don't you know, in this new Dark Age, we're
alllight. --XTC