问题
I have an application that is saving clob data into database. Suppose when I put some text into textbox and then click save. It will call a procedure that will insert this text (clob) into database table.
Suppose I have the following text:
Hi i am gaurav's soni's
Now my procedure take this clob data as:
insert into rtf_clob(1,'Hi i am gaurav's soni's');
This however throws an error.
How to handle this single quote in dynamic data coming from front end?
I'm using oracle as RDBMS.
回答1:
You should not be writing code to escape the string. The fact that you need to escape the string implies that you are doing something wrong.
If you are using bind variables in your INSERT statement, there will be no need to escape the string when there is a stray single quote. There will also be no need to try to identify SQL injection attacks in the string which is a huge security issue if you're not using bind variables. And you won't be forcing Oracle to parse the query every time it is executed which is critical to system performance.
If the procedure you're talking about is written in PL/SQL, it will use bind variables automatically. Guessing at the column names and assuming that you're using a sequence to generate your primary key, you'd have something like this
CREATE PROCEDURE insert_rtf_clob( p_clob IN NOCOPY CLOB )
AS
BEGIN
INSERT INTO rtf_clob( rtf_clob_id, rtf_clob_value )
VALUES( seq_rtf_clob_id.nextval, p_clob );
END;
Other front-end languages will have different approaches to using bind variables. If you're writing Java using JDBC, for example, you'd create a PreparedStatement and then then call appropriate setXXX methods, i.e.
PreparedStatement stmt = conn.prepareStatement( "INSERT INTO rtf_clob VALUES( ?, ? )" );
stmt.setInt( 1, 1 ); // Set column 1 to a value of 1
stmt.setString( 2, someStringVariable ); // Set column 2 to someStringVariable
stmt.executeUpdate();
回答2:
Double the ': insert into rtf_clob(1,'Hi i am gaurav''s soni''s');
来源:https://stackoverflow.com/questions/8188552/error-while-inserting-data-having-single-quotes-between-it