I'm handling user data and store it to oracle which may contain "'", "''", or "'''".
I have try to use replaceAll() method to convert data but it output not my expected result.
try replaceAll() but not work
String sAddress1="";
sAddress1 = "ABC''S ROA'''D";
sAddress1 = sAddress1.replaceAll("'","''");
I expect the output of sAddress1 to be:
"ABC''''S ROA''''''D"
But the actual output is:
"ABC''S ROA''''D"
Your code works correctly. The problem is the persistence in your Oracle DB.
In which way are you storing it into the DB? Are you using native SQL? Are you using JPA/Hibernate?
Probably you are using a Native SQL, since the JPA/Hibernate options should handle the quoting for you.
Take a look to the text literials section in the Oracle documentation https://docs.oracle.com/cd/B19306_01/server.102/b14200/sql_elements003.htm#sthref344
Or take a look to other answers about escaping single quoutes for Oracle DB
PL/SQL, how to escape single quote in a string?
Escaping single quote in PLSQL
Related
I have data coming from html contact form which i am sending in a email through a java webservice. Everything is working fine but when user inserts data containing apostrophe (single quote) insert fails.
Pls help me to understand How and where to handle this data.
TIA
You just need to use Prepared Statements,it will escape special characters and avoid SQL_injection
You can use Prepared Statements, and you can just escape all special characters like single quote, double quote etc. before inserting in the database.
My current requirement is to store Unicode and other special characters, such as double quotes in MySQL tables. For that purpose, as many have suggested, we should use Apache's StringEscapeUtils.escapeJava() method. The problem is, although this method does replace special characters with their respective unicodes (\uxxxx), the MySQL table stores them as uxxxx and not \uxxxx. Due to this, when I try to decode it while fetching from the database, StringEscapeUtils.unescapeJava() fails (since it cannot find the '\').
Here are my questions:
Why is it happening (that is, '\' are skipped by the table).
What is the solution for this?
Don't use Unicode "codepoints" (\uxxxx), use UTF8.
Dont' use any special functions. Instead announce that everything is UTF-8 (utf8mb4 in MySQL).
See Best Practice
(If you are being provided \uxxxx, then you are stuck with converting to utf8 first. If your real question is on how to convert, then ask it that way.)
`
So I have this string that I am saving in database:
{\"facebook\":\"fb.com\",\"twitter\":\"twitter.com\",\"instagram\":\"\",\"googlePlus\":\"\",\"others\":\"espn.com\"}
But when I call the GET api, I get this in JSON
{\\\"facebook\\\":\\\"fb.com\\\",\\\"twitter\\\":\\\"twitter.com\\\",\\\"instagram\\\":\\\"\\\",\\\"googlePlus\\\":\\\"\\\",\\\"others\\\":\\\"espn.com\\\"}
Why is this happening and how can I get the exact same data that is stored in database?
It is escaped again when you're retrieving the data because Spring thinks that the \ character is part of the data and not used to escape ".
You never want to store escaped characters (be it for JSON special characters, HTML characters in a text, ...), you have to store unescaped data to fix your issue. Escaping has to be done when displaying data, not when storing it.
It is a bad practice to store escaped data because of the problem you're having but also because it will take useless storage space in the database (which might not be a problem right now for you, but will be with millions of rows).
You could also use apache's build in StringEscapeUtils.unescapeJson(String input) mechanism for Json data. See reference https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html
After getting the data, save it in a String and then :
String newJava = str.replace("\\\", "\");
I am trying to escape a whole string for insert into a longtext or varchar. Basically I have a string full of all types of special characters and special words (ex. LIKE) and I just want to escape the whole thing so that I can insert it into my H2 database.
I've asked a few friends and they said that I should try serializing the data. Is this the proper way to insert random strings into the db? Should I be trying to do this with prepared statements?
Sorry I'm new to H2 and not that great with SQL. Thanks for the help in advance!
If you are looking for examples on how to use a PreparedStatement:
http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
http://en.wikipedia.org/wiki/Prepared_statement#Examples
http://www.jdbc-tutorial.com/jdbc-prepared-statements.htm
Use a PreparedStatement and pass the string as a parameter.
Is there a Java library for escaping special characters from a string that is going to be inserted into an SQL query.
I keep writing code to escape various things, but I keep finding some new issue trips me up. So a library that takes care of all or most of the possibilities would be very handy.
EDIT: I am using MySQL (if that makes any difference).
Well... jdbc. Pass the strings as parameters, and don't append them to the query string
A little bit more research points me to this:
http://devwar.blogspot.com/2010/06/how-to-escape-special-characters-in.html
Which suggests to use apache.commons.lang.StringEscapeUtils, I will try this out
I know this is a long time thread, but using the commonslang library there is a method called escapeSql(String). Also using prepared statement automatically escape the offending SQL character.