问题
Is there a native way of escaping strings for Ormlite for Android?
For example, if I want to supply a string: ormlite's escape func, it needs to be supplied as ormlite\'s escape func.
TestDao.queryForFirst(TestDao.queryBuilder().where().like("stats", stats)
.prepare())
I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?
If not, what are the ways to do it?
Thank you!
回答1:
I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?
This is a FAQ. The proper way to do this is to use a SelectArg argument so the SQL can use a ? type of construct. Here's another question talking about this.
SelectArg selectArg = new SelectArg(stats);
TestDao.queryForFirst(
TestDao.queryBuilder().where().like("stats", selectArg).prepare());
Here's the documentation on the select-arg functionality.
Edit:
As @Moritz points out, if you are actually updating the database, you can also use the SelectArg with the UpdateBuilder:
SelectArg arg = new SelectArg("Some value");
updateBuilder.updateColumnValue(MY_COLUMN, arg);
来源:https://stackoverflow.com/questions/6400782/ormlite-escape-string-method