开发者

Ormlite escape string method?

Is there a native way of escaping strings for Ormlite for Android?

For example, if I want to supply a string: ormlite's escape func, it needs to be supplied as ormlite\'s escape func.

TestDao.queryForFirst(TestDao.queryBuilder().where().like("stats", stats)
    .prepare())

I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a开发者_如何学Go native support for escaping strings to be sql injection safe?

If not, what are the ways to do it?

Thank you!


I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?

This is a FAQ. The proper way to do this is to use a SelectArg argument so the SQL can use a ? type of construct. Here's another question talking about this.

SelectArg selectArg = new SelectArg(stats);
TestDao.queryForFirst(
    TestDao.queryBuilder().where().like("stats", selectArg).prepare());

Here's the documentation on the select-arg functionality.

Edit:

As @Moritz points out, if you are actually updating the database, you can also use the SelectArg with the UpdateBuilder:

SelectArg arg = new SelectArg("Some value");
updateBuilder.updateColumnValue(MY_COLUMN, arg);
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜