Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: Handling single quotes in data and SQL
Yes, scan the input string and if it contains a single quote double it
to being single quote single quote or eliminate the single quote from
the string altogether.
However, you should not be creating SQL statements that contain text fields but should instead be using bind variables. The use of strings to build the SQL subjects your code to possilbe SQL Injection. The proper use of bind variables would take away both the possibility of SQL Injection and the problem of the data containing a single quote.
HTH -- Mark D Powell -- Received on Thu Apr 20 2006 - 09:18:11 CDT