Home/ Questions/Q 6819499
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T21:18:49+00:00

I have an application that is saving clob data into database. Suppose when I

  • 0

I have an application that is saving clob data into database.
Suppose when I put some text into textbox and then click save.
It will call a procedure that will insert this text (clob) into database table.

Suppose I have the following text:

Hi i am gaurav’s soni’s

Now my procedure take this clob data as:

insert into rtf_clob(1,'Hi i am gaurav's soni's');

This however throws an error.

How to handle this single quote in dynamic data coming from front end?
I’m using oracle as RDBMS.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should not be writing code to escape the string. The fact that you need to escape the string implies that you are doing something wrong.

    If you are using bind variables in your INSERT statement, there will be no need to escape the string when there is a stray single quote. There will also be no need to try to identify SQL injection attacks in the string which is a huge security issue if you’re not using bind variables. And you won’t be forcing Oracle to parse the query every time it is executed which is critical to system performance.

    If the procedure you’re talking about is written in PL/SQL, it will use bind variables automatically. Guessing at the column names and assuming that you’re using a sequence to generate your primary key, you’d have something like this

    CREATE PROCEDURE insert_rtf_clob( p_clob IN NOCOPY CLOB )
AS
BEGIN
  INSERT INTO rtf_clob( rtf_clob_id, rtf_clob_value )
    VALUES( seq_rtf_clob_id.nextval, p_clob );
END;

    Other front-end languages will have different approaches to using bind variables. If you’re writing Java using JDBC, for example, you’d create a PreparedStatement and then then call appropriate setXXX methods, i.e.

    PreparedStatement stmt = conn.prepareStatement( "INSERT INTO rtf_clob VALUES( ?, ? )" );
stmt.setInt( 1, 1 ); // Set column 1 to a value of 1
stmt.setString( 2, someStringVariable ); // Set column 2 to someStringVariable
stmt.executeUpdate();
    • 0