• Marcus Sundman
    Marcus Sundman

    I have source like this:

    InsertQuery ins = new InsertQuery(myTable);
    ins.addColumn(myVarcharColumn, "foo'bar");
    out.println(ins.validate() + ";");

    This produces invalid SQL, because the "'" in "foo'bar" isn't escaped like it
    should be. What am I doing wrong?

  • James Ahlborn
    James Ahlborn

    unfortunately, not all databases escape strings the same way. sqlbuilder
    strives to be database agnostic, and thus does not provide a built in string
    escape mechanism. generally, in this situation it is best to use a prepared
    statement so that you don't run into these kinds of issues (sql injection
    attacks, etc). see the QueryPreparer class for a utility to help building
    prepared statements.