java - How to escape dynamically generated String values in a JCR SQL2 query? -

- July 15, 2015

let's pretend have jcr 2 query string made this:

string sql2query = "select * [cq:pagecontent] " +                    "where [aproperty] <> \" + avalue + "\"";

are there helper methods using can escape avalue?

by way, know in sql2 can use placeholders queries , let framework take care of escaping of values us, if create query dynamically, how can escape avalue prevent sql injection construction of broken queries?

yes, can use placeholders. dynamically created queries can use placeholders.

as sql-2, need use single quotes, not double quotes. example:

select * [cq:pagecontent] [aproperty] <> 'joe''s taxi'

you need escape single quotes, using single quote escape character:

string avalue = "joe's taxi"; string sql2query = "select * [cq:pagecontent] " +     "where [aproperty] <> '" + avalue.replaceall("'", "''") + "'";

if want use xpath, can use single quotes or double quotes, single quotes used (the same in sql-2). xpath queries don't support placeholders currently.

Search This Blog

WINAPI

java - How to escape dynamically generated String values in a JCR SQL2 query? -

Comments

Post a Comment

Popular posts from this blog

ruby on rails - RuntimeError: Circular dependency detected while autoloading constant - ActiveAdmin.register Role -

c++ - OpenMP unpredictable overhead -

javascript - Wordpress slider, not displayed 100% width -