executeUpdate , executeQuery , or execute wit h an em pt y argum ent list . Here is an exam ple t hat uses executeUpdate t o issue a DELETE query: PreparedStatement s; int count; s = conn.prepareStatement DELETE FROM profile WHERE cats = ?; s.setInt 1, 2; bind a 2 to the first placeholder count = s.executeUpdate ; s.close ; close statement System.out.println count + rows were deleted; For a query t hat ret urns a result set , t he process is sim ilar, but you use executeQuery inst ead: PreparedStatement s; s = conn.prepareStatement SELECT id, name, cats FROM profile + WHERE cats ? AND color = ?; s.setInt 1, 2; bind 2 and green to first and second placeholders s.setString 2, green; s.executeQuery ; ... process result set here ... s.close ; close statement The set XXX m et hods t hat bind dat a values t o queries t ake t wo argum ent s: a placeholder posit ion beginning wit h 1, not 0 and t he value t o be bound t o t he placeholder. The t ype of t he value should m at ch t he t ype in t he set XXX m et hod nam e. For exam ple, you should pass an int eger value t o setInt , not a st ring. Placeholder charact ers need no surrounding quot es in t he query st ring. JDBC supplies quot es as necessary when it binds values t o t he placeholders.

2.8 Including Special Characters and NULL Values in Queries

2.8.1 Problem

Youve having t rouble const ruct ing queries t hat include dat a values cont aining special charact ers such as quot es or backslashes, or special values such as NULL .

2.8.2 Solution

Use your API s placeholder m echanism or quot ing funct ion.

2.8.3 Discussion

Up t o t his point , our queries have used safe dat a values requiring no special t reat m ent . This sect ion describes how t o const ruct queries when youre using values t hat cont ain special charact ers such as quot es, backslashes, binary dat a, or values t hat ar e NULL . The difficult y wit h such values is as follows. Suppose you have t he following INSERT query: INSERT INTO profile name,birth,color,foods,cats VALUESAlison,1973-01-12,blue,eggroll,4; Theres not hing unusual about t hat . But if you change t he name colum n value t o som et hing like DeMont t hat cont ains a single quot e, t he query becom es synt act ically invalid: INSERT INTO profile name,birth,color,foods,cats VALUESDeMont,1973-01-12,blue,eggroll,4; The problem is t hat t here is a single quot e inside a single-quot ed st ring. To m ake t he query legal, t he quot e could be escaped by preceding it eit her wit h a single quot e or wit h a backslash: INSERT INTO profile name,birth,color,foods,cats VALUESDeMont,1973-01-12,blue,eggroll,4; INSERT INTO profile name,birth,color,foods,cats VALUESDe\Mont,1973-01-12,blue,eggroll,4; Alt ernat ively, you could quot e t he name value it self wit hin double quot es rat her t han wit hin single quot es: INSERT INTO profile name,birth,color,foods,cats VALUESDeMont,1973-01-12,blue,eggroll,4; Nat urally, if you are writ ing a query lit erally in your program , you can escape or quot e t he name value by hand because you know what t he value is. But if youre using a variable t o provide t he name value, you dont necessarily know what t he variables value is. Worse yet , single quot e isnt t he only charact er you m ust be prepared t o deal wit h; double quot es and backslashes cause problem s, t oo. And if you want t o st ore binary dat a such as im ages or sound clips in your dat abase, such values m ight cont ain anyt hing—not j ust quot es or backslashes, but ot her charact ers such as nulls zero-valued byt es . The need t o handle special charact ers properly is part icularly acut e in a web environm ent where queries are const ruct ed using form input for exam ple, if youre searching for records t hat m at ch search t erm s ent ered by t he rem ot e user . You m ust be able t o handle any kind of input in a general way, because you cant predict in advance what kind of inform at ion people will supply. I n fact , it is not uncom m on for m alicious users t o ent er garbage values cont aining problem at ic charact ers in a deliberat e at t em pt t o break your script s. The SQL NULL value is not a special charact er, but it t oo requires special t reat m ent . I n SQL, NULL indicat es no value. This can have several m eanings depending on cont ext , such as unknown, m issing, out of range, and so fort h. Our queries t hus far have not used NULL values, t o avoid dealing wit h t he com plicat ions t hat t hey int roduce, but now it s t im e t o address t hese issues. For exam ple, if you dont know DeMont s favorit e color, you can set t he color colum n t o NULL —but not by writ ing t he query like t his: INSERT INTO profile name,birth,color,foods,cats VALUESDeMont,1973-01-12,NULL,eggroll,4; I nst ead, t he NULL value shouldnt have any surrounding quot es at all: INSERT INTO profile name,birth,color,foods,cats VALUESDeMont,1973-01-12,NULL,eggroll,4; I f you were writ ing t he query lit erally in your program , youd sim ply writ e t he word NULL wit hout surrounding quot es. But if t he color value com es from a variable, t he proper act ion is not so obvious. You m ust know som et hing about t he variables value t o be able t o det erm ine whet her or not t o surround it wit h quot es when you const ruct t he query. There are t wo general m eans at your disposal for dealing wit h special charact ers such as quot es and backslashes, and wit h special values such as NULL : • Use placeholders if your API support s t hem . Generally, t his is t he preferred m et hod, because t he API it self will do all or m ost of t he work for you of providing quot es around values as necessary, quot ing or escaping special charact ers wit hin t he dat a value, and possibly int erpret ing a special value t o m ap ont o NULL wit hout surrounding quot es. Recipe 2.7 provides general background on placeholder support ; you should read t hat sect ion if you havent already. • Use a quot ing funct ion if your API provides one for convert ing dat a values t o a safe form t hat is suit able for use in query st rings. The rem ainder of t his sect ion shows how t o handle special charact ers for each API . The exam ples dem onst rat e how t o insert a profile t able record t hat cont ains DeMont for t he name value and NULL for t he color value. The t echniques shown work generally t o handle any special charact ers, including t hose found in binary dat a. The t echniques are not lim it ed t o INSERT queries. They work for ot her kinds of st at em ent s as well, such as SELECT queries. Exam ples showing specifically how t o work wit h a part icular kind of binary dat a—im ages—are provided in Chapt er 17 . A relat ed issue not covered here is t he inverse operat ion of t ransform ing special charact ers in values ret urned from your dat abase for display in various cont ext s. For exam ple, if youre generat ing HTML pages t hat include values t aken from your dat abase, you have t o convert and charact ers in t hose values t o t he HTML ent it ies lt; and gt; t o m ake sure t hey display properly. This t opic is discussed in Chapt er 16 .

2.8.4 Perl