prepared statements are sent to the database in a totally different manner compared to standard SQL statements. They don’t rely on text-based demarcation to determine the boundaries of a value compared to the logic in the statement itselfy. Your examples had a slight typo, that when fixed might be illustrative. The correct comparison is:
[code]userText = event.source.parent.getComponent(“TextArea”).text
userName = fpmi.security.getUsername()
fpmi.db.runPrepStmt(“INSERT INTO Comments (Name, UserComment) VALUES (?,?)”, [userName, userText])
fpmi.db.runUpdateQuery(“INSERT INTO Comments (Name, UserComment) VALUES (’%s’, ‘%s’)” % (userName , userText ))[/code]
Notice that you need single quotes around the %s. In the second example, Jython is evaluating the string replacement BEFORE the string is sent to the database, so the query is just one big string that gets parsed. In the prepared statement example, a different API call is made to the database that sends the query (with question marks) and the values separately.
Hope this clears things up.