Let me try to understand ...
The input file has quotation marks in it. You want to send it to the database. When you return from the database, you still want these quotes to be there.
So it's just in / out of the database, what do you have a problem?
If so, I very much suspect that you are doing something in order: (I wrap it in a disclaimer so as not to suspect misunderstanding and trimming / pasting into my own applications .;))
Bad - don't do it
String sql = "insert into foo (bar,baz) values(" +myValue1 + ", " + myValue2 + ")"; Statement stmt = connection.createStatement(); stmt.executeUpdate(sql);
Bad - don't do it
If so, you should really use the prepared instruction parameters at a minimum. a) you will be less vulnerable to malicious garbage that deletes all your tables, and b) you will not have problems with screening.
String sql = "insert into foo (bar, baz) values( ?, ? )"; PreparedStatement stmt = connection.prepareStatement(sql); stmt.setString(1, myValue1); stmt.setString(2, myValue2); stmt.executeUpdate();
Please note that this is also safe in the case of things like CLOB and the features of various database implementations (I think of you, Oracle>))
If this is some other way of escaping, that is, to / from XML or to / from HTML, then this is different, but it is well documented throughout the Internet.
Or provide some sample code if I'm not completely in the database.
PSpeed
source share