0

I am trying to update text into a MySql Database. The text contains " marks in it. As example string could be Hello "world" now when i write insert command its sumthing like

insert into mytable ('mystring') values("Hello "world"");

I am using java to execute a command like this. Obviously this gives an error due to the double quotes in the world string. I tried replacing it with java givenString.replaceAll("\"", "\\""); givenString.replace(Pattern.quote("\""), "\\"");

But nothing works . Any help is greatly appreciated !

Improve this question
4
  • 1
    Sounds like a job for parameter binding and prepared statements. Commented Oct 18, 2012 at 18:23
  • thanks lemme try it out. Commented Oct 18, 2012 at 18:29
  • 1
    Note, you might want to worry what happens if someone a bit malicious puts a ` in the text. Or control characters, or whatever. Best stick with PreparedStatement`. And that's general to avoid injection attacks when producing any text format. Commented Oct 18, 2012 at 18:36
  • prepared statment to rescue. Thanks a ton for help. Commented Oct 18, 2012 at 18:53

3 Answers 3

Reset to default
6

Double escape the \ like so: 

givenString.replaceAll("\"", "\\\"");

As stated by Ted Hopp in comments, for inserting data into a table you should user prepared statements using parameters, and set them according to the API you are using. For example if you are using JDBC you may use the setString method of your Statement object.

String str = "Hello \"world";
PreparedStatement stmt = con.prepareStatement(
      "insert into mytable('column') values(?)");
stmt.setString(1, str);

About your first comment:

In Java Strings are immutable, so replaceAll returns a new instance whose contents is the string with the required replacements. So what you want is to assign again the result to the previous variable, like so:

public String getSqlLikeString(String givenString) {
   System.out.println(givenString); 
   givenString = givenString.replaceAll("\"", "\\\""); 
   System.out.println(givenString); 
   return givenString;
}

// or just
public String getSqlLikeString(String givenString) {
   return givenString.replaceAll("\"", "\\\"");
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

i already did that but some how its not working . this is my code public String GetSqlLikeString(String givenString){ System.out.println(givenString); givenString.replaceAll("\"", "\\\""); System.out.println(givenString); return givenString; } I believe java compiler is not able to look up for it or what .
yes you are right about the new instance. Turns out givenstring = givenString.replaceall("\"","ab") works fine by replacing the " with the string ab. But givenString = givenString.replaceAll("\"", "\\\""); does not replace all " with \"
why use repplaceAll() instead of replace()? There is no need to use regular expression!
0

Try something like this:

    String s = "hello \"world\"";
    System.out.println(s);
    System.out.println(s.replace("\"", "\\\""));
Improve this answer

1 Comment

i am getting a string from web basically an rss feed. i intend to update that to my database thats why need to add the escape characters.
0

I tried everyone's every attempt displayed throughout stackOverflow to use all sorts of backslash approaches like ".replace("\"", "'");" with absolutely NO results - nothing was replaced! So I took one step back and realized single quotes are the answer.

Instead of trying to add \ in front of each quote I change the double quotes to single quotes in the incoming string in my getQuotedString(String givenString). Since I am subsequently quoting the entire string with a derived Java code generation of HTML files, this process works great. It uses HTML templates to transform them into Java-compiler-ready code to use as java classes to fill with database or stored information and resulting with no manual backslashing or swearing. Hope this helps someone. I spent hours trying to deal with double double quotes and multiple backslashes until it dawned in me that my process does not need ".

private void javaCodeWriter(String pWriteFilePath, ArrayList<String> pRecordsList) {
    String editedRecordItem;
      for (int i = 0; i < pRecordsList.size(); i++) {
          String rawCodeLine = pRecordsList.get(i);
          String quotedMods = getQuotedString(rawCodeLine);
          editedRecordItem = ("writer.write(\"" + quotedMods + "\\n\");");
          System.out.println(editedRecordItem);
          
        }
}

public String getQuotedString(String givenString) {
       
       String repairedString = givenString.replace("\"", "'");
       //System.out.println(repairedString);
       return repairedString;
}
Improve this answer

1 Comment

I wonder how this is answering the question... also: you wrote "like ".replace("\"", "'");" with absolutely NO results - nothing was replaced!" but that is exactly what is being done in posted code String repairedString = givenString.replace("\"", "'") ??!??

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.