klactose 0 Light Poster

Hello,

I am creating a little webpage that allows a person to chose between 3 different ways in which they can query for results (either id, date, or symbol). Everything works fine if choosing id and entering a value to search for, but if date or symbol is chosen then I get "invalid identifier" errors because for some reason the single quotes are being stripped from the query.

here is the relevant code:

<%
     Statement stmt = conn.createStatement();
     String formattedInput = (search.getType().equals("Symbol") ? ("'"+search.getValue()+"'")
	 		  : search.getType().equals("Trans. Date")? ("to_date('"+search.getValue()+"','dd-mmm-yyyy')")
	 				  : (search.getValue()));
%>
<p>Sending query to the server for: <%= search.getType().toUpperCase()%> = <%= formattedInput %>
<br />
<%
     ResultSet rs = stmt.executeQuery("Select * FROM"
    		 +" (Select member.mid, security.symbol, cname, trans_date, trans_type, quantity, price_per_share, commission, amount"
    		 +" FROM security, transaction, member"
    		 +" where (security.symbol = transaction.symbol)"
    		 +" and (member.mid = transaction.mid)) where " + search.getType() +" = "
         	 + formattedInput);
%>

And here is the output to my web page if search by symbol is chosen and the parameter is "orcl" without the quotes:

"Sending query to the server for: SYMBOL = ORCL

Begin Exception Dump:
java.sql.SQLSyntaxErrorException: ORA-00904: "ORCL": invalid identifier
End Exception "

Any clues on how I can stop the single quotes from disappearing?