java - Error in SQL update query in JDBC -
for command given below, if variable body_template contains " abhinav's number", shows next error:
you have error in sql syntax; check manual corresponds mysql server version right syntax utilize near 's number
string sql_command = "update email_template set body_template='"+body_template+"' id="+idno; //body_template, idno of type string stmt.executeupdate(sql_command); //here stmt variable of type statement. kindly suggest how should redesign query handle such cases. note: input can't changed. problem coming due inclusion of ' in input.
note: input can't changed. problem coming due inclusion of ' in input.
best practice utilize preparedstatement binding input values query parameters. manages escape special characters if in input values.
example:
// body_template, idno of type string string sql_command = "update email_template set body_template=? id=?"; preparedstatement pst = con.preparestatement( sql_command ); pst.setstring( 1, body_template ); pst.setstring( 2, idno ); int updateresult = pst.executeupdate(); java mysql sql string jdbc
No comments:
Post a Comment