How to escape single quotes for SQL insert…when string to insert is in a user generated variable

Question

I am building an insert command to execute using jdbc. Part of it is to concatenate a user generated string...this all works until the user uses a string like this:

Answer 1

You can use StringEscapeUtils from the Apache Commons Lang library. Using this you can escape characters from html, xml, sql, etc. Look for method escapeXXX for your purpose. For reference: When i need to escape Html string?

note: escapeSql was removed in Apache Commons Lang 3 (see Migrating StringEscapeUtils.escapeSql from commons.lang which references https://commons.apache.org/proper/commons-lang/article3_0.html#StringEscapeUtils.escapeSql)

Eg:

String str = FileUtils.readFileToString(new File("input.txt"));
        String results = StringEscapeUtils.escapeHtml(str);
        System.out.println(results);

Input:

Here is some "Text" that I'd like to be "escaped" for HTML
& here is some Swedish: Tack. Vars?god.

Output:

<sometext>
Here is some "Text" that I'd like to be "escaped" for HTML
& here is some Swedish: Tack. Varsågod.
</sometext>