i just want to ask how to use REPLACE function in JSP to escape single quote like addslashes() in PHP
my code is
String task_name= request.getParameter("task_name");
String rep_task_name=task_name.replace("\'","\\\'");
st2 = con.createStatement();
st2.executeUpdate("UPDATE taskes SET task_name='"+rep_task_name+"');
thanks
DO NOT use SQL statements constructed this way, USE PreparedStatement ( why ):
String task_name = request.getParameter("task_name");
st2 = con.prepareStatement("UPDATE tasks SET task_name = ?"); // missing WHERE?
st2.setString(1, task_name);
st2.executeUpdate();
The JDBC driver will sanitize the parameters for you.
thanks for ur replay
the full code is
<%
request.setCharacterEncoding("UTF-8");
String task_order = request.getParameter("task_order");
//String task_id = request.getParameter("task_id");
String task_name = request.getParameter("task_name");
String implementation_phase = request.getParameter("implementation_phase");
String what_has_thereon = request.getParameter("what_has_thereon");
String executing_agency = request.getParameter("executing_agency");
String note = request.getParameter("note");
String end_date = request.getParameter("end_date");
String task_id = request.getParameter("task_id");
String team_id = request.getParameter("team_id");
//String expression ="\'";
// String replacement = "\'";
// String rep_task_name=task_name.replace('v', 'q');
String rep_task_name=task_name.replace("\'","\\\'");;
try {
Class.forName("com.mysql.jdbc.Driver");
String hostname = "localhost:3306";
String dbname = "teams_manage";
String dburl = "jdbc:mysql://" + hostname + "/" + dbname;
String user = "root";
String pass = "";
Connection con=DriverManager.getConnection( "jdbc:mysql://"+hostname+"/"+dbname+"?useUnicode=true&characterEncoding=UTF-8",user,pass);
Statement st2 = null;
st2 = con.createStatement();
// session.getAttribute("role_die");
st2.executeUpdate("UPDATE taskes SET task_order='"+task_order+"', task_name='"+rep_task_name+"',implementation_phase='"+implementation_phase+"', what_has_thereon='" + what_has_thereon + "', executing_agency='" + executing_agency + "', end_date='" + end_date + "', note='" + note + "' WHERE task_id =" + task_id + "");
response.sendRedirect("index.jsp?dire="+session.getAttribute("role_die")+"&mmid="+session.getAttribute("memmber_id")+"&team_id="+session.getAttribute("team_id"));
} catch (ClassNotFoundException ex) {
throw new SecurityException("not fund" + ex.toString());
}
%>
so u mean i should be change the statements and use con.prepareStatement function
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.