October 9th, 2002, 02:47 PM
Esacping in JSP?
I was able to do this in PHP, but I can't figure out how to escape a string in JSP... I am working on a a form for inputing data into an Oracle DB. I am using a <textarea> for a description field. In that past, I always escaped textarea's to avoid problems. How on earth do you accomplish this task in JSP?
Any help would be great,
Thanks in advance,
October 9th, 2002, 04:41 PM
What do you mean by escaping? Can you give an example?
October 9th, 2002, 10:06 PM
maybe a "magic_quotes" thing???
escaping ' characters, etc.
October 9th, 2002, 10:48 PM
Ya, sounds like either quotes or entity replacement.
dchin, riddle me this: what version of the jdk are you using?
October 10th, 2002, 10:18 AM
Man, that same thing has given me fits in the past. I think you could use a servlet method to just replace any instance of ' or " with \' or \". Shouldn't be too difficult. You might use a StringTokenizer to break the string at those chars and then concatenate back together with the appropriate escaped characters in between. Not ideal, I know, but it would probably be effective without too much additional work.
October 10th, 2002, 11:18 AM
Actually, I'm trying to take input from a text field to make it safe for database input. changing characters like % ' " or other characters that would screw up an SQL statement into \' \" or something similar. I used commands like addslashes for quotes in PHP, and I performed ereg replaces on others.
I recently found the URLEncode and URLDecode methods, and they seem to do the trick, I just wonder if there are better ways. Also, does anyone know how to do regular expressions?
October 10th, 2002, 11:38 AM
You have to have jdk 1.4 or later to do regex.
October 10th, 2002, 08:43 PM
If you use a PreparedStatement instead of just a Statement, then the database driver will take care of escaping single quotes and so on for you.
However, on MySQL, with the mm.mysql driver I have had difficulties with using the SQL % symbol (as the PreparedStatement escapes it). In these cases I used regex (Did that really only come along at 1.4? It's pretty fundamental!).
Little more than a playground for the bugs that live beneath us...
October 22nd, 2002, 04:33 PM
Prepared Statement did it
Thanks for the help folks. ghatzhat's Prepared Statement option did the trick. I didn't need to manually convert the field data.