Have a select statement which uses a string as one of it's select might
contain ? ' and other characters too in it.
Prepared statement works fine if the characters are in where clause.
But we have the characters in the select itself.
what can be used to parse the sql with select with characters as ? : etc.
Where can we get info on, how many classes are there to parse sql statements.
Thanks.
> "INSERT INTO t1 (F1, F2)" +
> "SELECT " + empKey + "," + name +
> "FROM t2 " +
> "WHERE t2.desc = '" + DESP + "'";
>
>
>
> name - is a string which can have any character. like
> ',:,?,`
>
>
> Thanks.
Why would it contain characters like that, instead of being a column name or SQL function involving names of columns?
And where is the prepared statement in this? You're not using placemarkers (question marks) in the string at all, so I fail to see how a prepared statement is involved in this.
For example, this:
> WHERE t2.desc = '" + DESP + "'";
should be more like this:
WHERE t2.desc = ?
and using a prepared statement would fill in the ? for you, along with the surrounding quotation marks and escaping any possible special characters there, too.
It's really hard to read with it broken up like that.
select empKey, abc?'% from t2
Is that what you're talking about?
If name is a column name, it can't have those characters in it. If it's a literal, then it would be surrounded by quotes in the actual sql
select empKey, 'abc?''%' from t2
or something like that.
Have you tried making that a parameter in a PreparedStatement? I don't know whether it would work or not, but if you haven't tried it, you should.
Once you try it, if it doesn't work, then I'm not sure what the best way would be. I think the only character you have to escape there is the single quote, and I think you escape it by doubling it up, so you could just do name = name.replaceAll("'", "''");
