Google App Engine 的 JDO：转义引号

发布于 2024-08-06 09:04:00 字数 294 浏览 3 评论 0原文

如何转义 JDO (Google App Engine) 中的查询参数？

例如，如果变量名称可能包含单引号 (') 形式的不安全字符，如何使下一个片段安全

PersistenceManager pm = ...;
String query = "select from Person where name='"+name+"'";
List<Shortened> shortened = (List<Shortened>) pm.newQuery(query).execute();

原文

How do I escape parameters of queries in JDO (Google App Engine)?

For example, how do I make the next snippet safe, if the variable name may contain unsafe chars as single quotes (')

PersistenceManager pm = ...;
String query = "select from Person where name='"+name+"'";
List<Shortened> shortened = (List<Shortened>) pm.newQuery(query).execute();

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

无法言说的痛 2024-08-13 09:04:00

请改用查询参数，这比在查询本身中包含值要安全得多。以下是 GAE 文档中的示例：

Query query = pm.newQuery("select from Employee " +
                          "where lastName == lastNameParam " +
                          "order by hireDate desc " +
                          "parameters String lastNameParam");

List<Employee> results = (List<Employee>) query.execute("Smith");

Use query parameters instead, it's a much safer than including the values in the query itself. Here is an example from the GAE documentation:

Query query = pm.newQuery("select from Employee " +
                          "where lastName == lastNameParam " +
                          "order by hireDate desc " +
                          "parameters String lastNameParam");

List<Employee> results = (List<Employee>) query.execute("Smith");

回复收藏 0 原文

~没有更多了~