Esacping in JSP? - Dev Shed

Dev Shed Forums Sponsor:

AT&T devCentral & BlackBerry(r) Webcast Series: BlackBerry and GPS -Build Location Awareness into your BlackBerry Applications, July 10th-1:00PM EST. Register Today!

October 9th, 2002, 01:47 PM

dchin

Junior Member

Join Date: Oct 2002

Location: Rochester, NY

Posts: 0

Time spent in forums: 2 m 26 sec
Reputation Power: 0

Esacping in JSP?

I was able to do this in PHP, but I can't figure out how to escape a string in JSP... I am working on a a form for inputing data into an Oracle DB. I am using a <textarea> for a description field. In that past, I always escaped textarea's to avoid problems. How on earth do you accomplish this task in JSP?

Any help would be great,
Thanks in advance,
Dower

October 9th, 2002, 03:41 PM

bricker42

Moderator =(8^(|)

Dev Shed Intermediate (1500 - 1999 posts)

Join Date: Feb 2002

Location: Sacramento, CA

Posts: 1,710

Time spent in forums: 20 m 38 sec
Reputation Power: 8

What do you mean by escaping? Can you give an example?

October 9th, 2002, 09:06 PM

justin_dago

Contributing User

Join Date: Apr 2002

Location: new york

Posts: 84

Time spent in forums: < 1 sec
Reputation Power: 7

maybe a "magic_quotes" thing???

escaping ' characters, etc.

???

October 9th, 2002, 09:48 PM

bricker42

Moderator =(8^(|)

Join Date: Feb 2002

Location: Sacramento, CA

Posts: 1,710

Time spent in forums: 20 m 38 sec
Reputation Power: 8

Ya, sounds like either quotes or entity replacement.

dchin, riddle me this: what version of the jdk are you using?

October 10th, 2002, 09:18 AM

jfhiller

Junior Member

Join Date: Oct 2002

Posts: 1

Time spent in forums: < 1 sec
Reputation Power: 0

Man, that same thing has given me fits in the past. I think you could use a servlet method to just replace any instance of ' or " with \' or \". Shouldn't be too difficult. You might use a StringTokenizer to break the string at those chars and then concatenate back together with the appropriate escaped characters in between. Not ideal, I know, but it would probably be effective without too much additional work.

October 10th, 2002, 10:18 AM

dchin

Junior Member

Join Date: Oct 2002

Location: Rochester, NY

Posts: 0

Time spent in forums: 2 m 26 sec
Reputation Power: 0

Actually, I'm trying to take input from a text field to make it safe for database input. changing characters like % ' " or other characters that would screw up an SQL statement into \' \" or something similar. I used commands like addslashes for quotes in PHP, and I performed ereg replaces on others.

I recently found the URLEncode and URLDecode methods, and they seem to do the trick, I just wonder if there are better ways. Also, does anyone know how to do regular expressions?

October 10th, 2002, 10:38 AM

bricker42

Moderator =(8^(|)

Join Date: Feb 2002

Location: Sacramento, CA

Posts: 1,710

Time spent in forums: 20 m 38 sec
Reputation Power: 8

You have to have jdk 1.4 or later to do regex.

October 10th, 2002, 07:43 PM

ghatzhat

Contributing User

Join Date: Jun 2002

Posts: 361

Time spent in forums: 1 h 9 m 5 sec
Reputation Power: 7

If you use a PreparedStatement instead of just a Statement, then the database driver will take care of escaping single quotes and so on for you.

However, on MySQL, with the mm.mysql driver I have had difficulties with using the SQL % symbol (as the PreparedStatement escapes it). In these cases I used regex (Did that really only come along at 1.4? It's pretty fundamental!).

__________________
Little more than a playground for the bugs that live beneath us...

October 22nd, 2002, 03:33 PM

dchin

Junior Member

Join Date: Oct 2002

Location: Rochester, NY

Posts: 0

Time spent in forums: 2 m 26 sec
Reputation Power: 0

Prepared Statement did it

Thanks for the help folks. ghatzhat's Prepared Statement option did the trick. I didn't need to manually convert the field data.

Dower

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: