How can we escape quotes "" characters in Java and MySQL?
我们怎样才能逃避Java和MySQL中的引号“”?
An incoming XML file has quotes, and I am parsing through that file using Java. So I want to escape the quotes here, but in the database it should contain quotes. When I am doing a query the result would have quotes. While displaying on a webpage it should also show quotes.
传入的XML文件有引号,我使用Java解析该文件。所以我想在这里转义引号,但在数据库中它应该包含引号。当我在进行查询时,结果会有引号。在网页上显示时,它也应显示引号。
5 个解决方案
#1
11
Let me try and understand...
让我试着理解......
The incoming file has quotes in it. You want to send it to a database. When you get it back from the database then you still want those quotes to be there.
传入的文件中包含引号。您想将其发送到数据库。当你从数据库中取回它时,你仍然希望那些引号存在。
So is it just to/from the database that you are having your issue?
那么,您是否只是从数据库中获得了您的问题?
If so then I highly suspect you are doing something on the order of: (I'm wrapping it in a disclaimer to keep the unsuspecting from misunderstanding and cutting/pasting into their own applications. ;))
如果是这样,那么我非常怀疑你是按照以下顺序做的事情:(我将它包含在免责声明中,以防止误解和切入/粘贴到他们自己的应用程序中。;))
Bad - do not do this
String sql = "insert into foo (bar,baz) values(" +myValue1 + ", " + myValue2 + ")";
Statement stmt = connection.createStatement();
stmt.executeUpdate(sql);
Bad - do not do that
If so then you should really be using prepared statement's parameters at a minimum. a) you will be less vulnerable to malicious garbage deleting all of your tables, and b) you will not have any escaping problems.
如果是这样,那么你应该至少使用预准备语句的参数。 a)您将不那么容易被恶意垃圾删除所有表格,并且b)您将不会有任何逃避问题。
String sql = "insert into foo (bar, baz) values( ?, ? )";
PreparedStatement stmt = connection.prepareStatement(sql);
stmt.setString(1, myValue1);
stmt.setString(2, myValue2);
stmt.executeUpdate();
Note that it's also safer in the case of things like CLOBs and the specifics of different database implementations (I'm thinking of you, Oracle >))
请注意,在CLOBs和不同数据库实现的细节之类的情况下它也更安全(我在想你,Oracle>))
If it is some other kind of escaping, that is, to/from XML or to/from HTML then that's different, but it is well documented all over the web.
如果它是某种其他类型的转义,即,从XML到/从HTML到/从HTML那么不同,但它在整个网络上都有很好的文档记录。
Or provide some example code if I'm totally off base.
或者提供一些示例代码,如果我完全偏离基础。
#2
3
The typical escape character for pretty much anything is the backslash \.
几乎任何东西的典型转义字符都是反斜杠\。
#3
3
You should use:
你应该使用:
\"
#4
2
Anything (OK, not anything), but most characters use
任何事情(好的,不是什么),但大多数人物使用
\
as the escape character.
作为逃脱角色。
#5
0
The obvious (and best) thing to do is what everyone else suggested. A goofy alternative is to put the double quote inside a single quote:
显而易见(也是最好)的事情是其他人建议的。一个愚蠢的选择是将双引号放在单引号中:
String quotedText = '"' + "A quick brown fox..." + '"';
#1
11
Let me try and understand...
让我试着理解......
The incoming file has quotes in it. You want to send it to a database. When you get it back from the database then you still want those quotes to be there.
传入的文件中包含引号。您想将其发送到数据库。当你从数据库中取回它时,你仍然希望那些引号存在。
So is it just to/from the database that you are having your issue?
那么,您是否只是从数据库中获得了您的问题?
If so then I highly suspect you are doing something on the order of: (I'm wrapping it in a disclaimer to keep the unsuspecting from misunderstanding and cutting/pasting into their own applications. ;))
如果是这样,那么我非常怀疑你是按照以下顺序做的事情:(我将它包含在免责声明中,以防止误解和切入/粘贴到他们自己的应用程序中。;))
Bad - do not do this
String sql = "insert into foo (bar,baz) values(" +myValue1 + ", " + myValue2 + ")";
Statement stmt = connection.createStatement();
stmt.executeUpdate(sql);
Bad - do not do that
If so then you should really be using prepared statement's parameters at a minimum. a) you will be less vulnerable to malicious garbage deleting all of your tables, and b) you will not have any escaping problems.
如果是这样,那么你应该至少使用预准备语句的参数。 a)您将不那么容易被恶意垃圾删除所有表格,并且b)您将不会有任何逃避问题。
String sql = "insert into foo (bar, baz) values( ?, ? )";
PreparedStatement stmt = connection.prepareStatement(sql);
stmt.setString(1, myValue1);
stmt.setString(2, myValue2);
stmt.executeUpdate();
Note that it's also safer in the case of things like CLOBs and the specifics of different database implementations (I'm thinking of you, Oracle >))
请注意,在CLOBs和不同数据库实现的细节之类的情况下它也更安全(我在想你,Oracle>))
If it is some other kind of escaping, that is, to/from XML or to/from HTML then that's different, but it is well documented all over the web.
如果它是某种其他类型的转义,即,从XML到/从HTML到/从HTML那么不同,但它在整个网络上都有很好的文档记录。
Or provide some example code if I'm totally off base.
或者提供一些示例代码,如果我完全偏离基础。
#2
3
The typical escape character for pretty much anything is the backslash \.
几乎任何东西的典型转义字符都是反斜杠\。
#3
3
You should use:
你应该使用:
\"
#4
2
Anything (OK, not anything), but most characters use
任何事情(好的,不是什么),但大多数人物使用
\
as the escape character.
作为逃脱角色。
#5
0
The obvious (and best) thing to do is what everyone else suggested. A goofy alternative is to put the double quote inside a single quote:
显而易见(也是最好)的事情是其他人建议的。一个愚蠢的选择是将双引号放在单引号中:
String quotedText = '"' + "A quick brown fox..." + '"';