#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2002
    Location
    Rochester, NY
    Posts
    0
    Rep Power
    0

    Esacping in JSP?


    I was able to do this in PHP, but I can't figure out how to escape a string in JSP... I am working on a a form for inputing data into an Oracle DB. I am using a <textarea> for a description field. In that past, I always escaped textarea's to avoid problems. How on earth do you accomplish this task in JSP?

    Any help would be great,
    Thanks in advance,
    Dower
  2. #2
  3. No Profile Picture
    Moderator =(8^(|)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Feb 2002
    Location
    Sacramento, CA
    Posts
    1,710
    Rep Power
    14
    What do you mean by escaping? Can you give an example?
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2002
    Location
    new york
    Posts
    84
    Rep Power
    13
    maybe a "magic_quotes" thing???

    escaping ' characters, etc.

    ???
  6. #4
  7. No Profile Picture
    Moderator =(8^(|)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Feb 2002
    Location
    Sacramento, CA
    Posts
    1,710
    Rep Power
    14
    Ya, sounds like either quotes or entity replacement.

    dchin, riddle me this: what version of the jdk are you using?
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2002
    Posts
    1
    Rep Power
    0
    Man, that same thing has given me fits in the past. I think you could use a servlet method to just replace any instance of ' or " with \' or \". Shouldn't be too difficult. You might use a StringTokenizer to break the string at those chars and then concatenate back together with the appropriate escaped characters in between. Not ideal, I know, but it would probably be effective without too much additional work.
  10. #6
  11. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2002
    Location
    Rochester, NY
    Posts
    0
    Rep Power
    0
    Actually, I'm trying to take input from a text field to make it safe for database input. changing characters like % ' " or other characters that would screw up an SQL statement into \' \" or something similar. I used commands like addslashes for quotes in PHP, and I performed ereg replaces on others.

    I recently found the URLEncode and URLDecode methods, and they seem to do the trick, I just wonder if there are better ways. Also, does anyone know how to do regular expressions?
  12. #7
  13. No Profile Picture
    Moderator =(8^(|)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Feb 2002
    Location
    Sacramento, CA
    Posts
    1,710
    Rep Power
    14
    You have to have jdk 1.4 or later to do regex.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2002
    Posts
    361
    Rep Power
    12
    If you use a PreparedStatement instead of just a Statement, then the database driver will take care of escaping single quotes and so on for you.

    However, on MySQL, with the mm.mysql driver I have had difficulties with using the SQL % symbol (as the PreparedStatement escapes it). In these cases I used regex (Did that really only come along at 1.4? It's pretty fundamental!).
    Little more than a playground for the bugs that live beneath us...
  16. #9
  17. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2002
    Location
    Rochester, NY
    Posts
    0
    Rep Power
    0

    Thumbs up Prepared Statement did it


    Thanks for the help folks. ghatzhat's Prepared Statement option did the trick. I didn't need to manually convert the field data.

    Dower

IMN logo majestic logo threadwatch logo seochat tools logo