What special characters need to be escaped when insert String literal to database

I'm using jdbc to insert data to database. For some reasons, I can't use PreparedStatement, I have to execute query directly. What special characters do I have to escape ?. I only know about the single quote(') and the backslash().

Edit: The reason I can't use PreparedStatement is, my app receive json data from server and its values are always represented as String. For example :

{
 "tableName": "movies",
  "data": [
     "The Big Lewbowski",
     "119",
    "1998-06-03"
]
}

It mean now I have to insert the data to the table movies. I can only deserialize the data to a List Now if I use PrepareStatement.

    String sql = "insert into movies values(?,?,?)";
    PreparedStatement ps = con.prepareStatement(sql);
    System.out.println(ps.toString());
    for (int i = 0; i < newData.size(); i++) {
        ps.setObject(i + 1, newData.get(i));
    }
    System.out.println(ps.toString());

com.mysql.jdbc.JDBC4PreparedStatement@6267c3bb: insert into movies values(** NOT SPECIFIED **,**       NOT SPECIFIED **,** NOT SPECIFIED **)
com.mysql.jdbc.JDBC4PreparedStatement@6267c3bb: insert into movies values('The Big        Lewbowski','117','1998-06-03')

As you can see , it doesn't work. my movies table have the different column types : movies(title varchar,runtime int,releaseDate Date); It can insert the data but there must been implicit conversion, right?

Jon Skeet
people
quotationmark

The reason I can't use PreparedStatement is, my app receive json data from server and its values are always represented as String

That's a non-sequitur. You should be able to determine the schema from your database, and then work out how to convert each JSON value appropriately. Aside from anything else, the format in JSON may not be the same as the format the database would expect anyway.

Don't throw away security by just including the values directly in the SQL: perform the conversions in your code, and use PreparedStatement with parameterized values.

Your next tasks should be to:

  • Work out how to get the schema information from the database (this is standard JDBC)
  • Check that you know what format will be used for each of the various types of data (dates in particular can be a pain) so you can convert them
  • Write lots of tests - note that the conversion part can be entirely isolated from JDBC, and very testable.

people

See more on this question at Stackoverflow