0

i replace a particular string in a statement like the following

SQL = SQL.replaceAll("CUSTOMER_NUMBER", customer);

this conversion goes as integer but i want to replace this as a string like the following

AND CIMtrek_accountlist_customer_number = '0002538'

but at present it replaces like the following 

AND CIMtrek_accountlist_customer_number = 0002538

how to do this in java.

Improve this question
3
  • 5
    I can only recommend using PreparedStatement Commented Dec 18, 2012 at 11:51
  • 1
    Why at all you are required to do this?? Can you post surrounding code to explain the scenario? And if at all you want to pass parameter in your SQL Query, Use PreparedStatement, to avoid getting attacked by SQL Injection. Commented Dec 18, 2012 at 11:53
  • We all wan't to prevent this from happening ;) Commented Dec 18, 2012 at 11:54

2 Answers 2

Reset to default
3

Just get it to output the ' as well as the customer variable

SQL = SQL.replaceAll("CUSTOMER_NUMBER", "'" + customer + "'");

However as @jlordo mentioned in a comment, you should look at using prepared statements which will allow you to inject values into a prepared sql statement.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

And use of prepared statement will avoid SQL Injection Attack.
1

Though you should be using PreparedStatement if you are running SQL, However if placeholder "CUSTOMER_NUMBER" is under your control, It is better to use String.format. See and example here

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.