how can i use replace function in JSP to escape single quote

Question

i just want to ask how to use REPLACE function in JSP to escape single quote like addslashes() in PHP

my code is

String task_name= request.getParameter("task_name");
String rep_task_name=task_name.replace("\'","\\\'");
st2 = con.createStatement();
st2.executeUpdate("UPDATE taskes SET task_name='"+rep_task_name+"');

thanks

Answer 1

DO NOT use SQL statements constructed this way, USE PreparedStatement ( why ):

String task_name = request.getParameter("task_name");
st2 = con.prepareStatement("UPDATE tasks SET task_name = ?"); // missing WHERE?
st2.setString(1, task_name);
st2.executeUpdate();

The JDBC driver will sanitize the parameters for you.

Answer 2

thanks for ur replay

the full code is

<%
        request.setCharacterEncoding("UTF-8");
        String task_order = request.getParameter("task_order");
        //String task_id = request.getParameter("task_id");
        String task_name = request.getParameter("task_name");
        String implementation_phase = request.getParameter("implementation_phase");            
        String what_has_thereon = request.getParameter("what_has_thereon");
        String executing_agency = request.getParameter("executing_agency");
        String note = request.getParameter("note");
        String end_date = request.getParameter("end_date");
        String task_id = request.getParameter("task_id");
        String team_id = request.getParameter("team_id");
        //String expression ="\'";
       // String replacement = "\'";
       // String rep_task_name=task_name.replace('v', 'q');
      String rep_task_name=task_name.replace("\'","\\\'");;


        try {

        Class.forName("com.mysql.jdbc.Driver");
        String hostname = "localhost:3306";
        String dbname = "teams_manage";
        String dburl = "jdbc:mysql://" + hostname + "/" + dbname;
        String user = "root";
        String pass = "";
             Connection con=DriverManager.getConnection( "jdbc:mysql://"+hostname+"/"+dbname+"?useUnicode=true&characterEncoding=UTF-8",user,pass);
            Statement st2 = null;

            st2 = con.createStatement();
           // session.getAttribute("role_die");
            st2.executeUpdate("UPDATE taskes SET task_order='"+task_order+"', task_name='"+rep_task_name+"',implementation_phase='"+implementation_phase+"', what_has_thereon='" + what_has_thereon + "', executing_agency='" + executing_agency + "', end_date='" + end_date + "', note='" + note + "' WHERE task_id =" + task_id + "");
            response.sendRedirect("index.jsp?dire="+session.getAttribute("role_die")+"&mmid="+session.getAttribute("memmber_id")+"&team_id="+session.getAttribute("team_id"));
        } catch (ClassNotFoundException ex) {
            throw new SecurityException("not fund" + ex.toString());
        }


    %>

so u mean i should be change the statements and use con.prepareStatement function