从commons.lang迁移StringEscapeUtils.escapeSql [英] Migrating StringEscapeUtils.escapeSql from commons.lang

问题描述

我已经开始将commons.lang 2迁移到commons.lang3.

I have started to migrate commons.lang 2 to commons.lang3.

根据 https://commons.apache.org/proper/commons-lang/article3_0.html

StringEscapeUtils.escapeSql

StringEscapeUtils.escapeSql

这是一种令人误解的方法，仅处理可能的最简单的SQL案例. >由于SQL不是Lang的重点，因此维护此方法没有任何意义.

This was a misleading method, only handling the simplest of possible SQL cases. >As SQL is not Lang's focus, it didn't make sense to maintain this method.

了解它，但是建议使用什么代替它?

Understand it but what is recommended to use instead of it?

说明

您可以推荐第三方执行类似于StringEscapeUtils.escapeSql的简单escapeSQL吗?

Can you recommend a third party that perform simple escapeSql similar to StringEscapeUtils.escapeSql?

推荐答案

目前，此方法仅将单引号转换为加倍的单引号("McHale's Navy" =>"McHale's Navy").

At present, this method only turns single-quotes into doubled single-quotes ("McHale's Navy" => "McHale''s Navy").

这是方法代码:

  /**
675         * <p>Escapes the characters in a <code>String</code> to be suitable to pass to
676         * an SQL query.</p>
677         *
678         * <p>For example,
679         * <pre>statement.executeQuery("SELECT * FROM MOVIES WHERE TITLE='" + 
680         *   StringEscapeUtils.escapeSql("McHale's Navy") + 
681         *   "'");</pre>
682         * </p>
683         *
684         * <p>At present, this method only turns single-quotes into doubled single-quotes
685         * (<code>"McHale's Navy"</code> => <code>"McHale''s Navy"</code>). It does not
686         * handle the cases of percent (%) or underscore (_) for use in LIKE clauses.</p>
687         *
688         * see http://www.jguru.com/faq/view.jsp?EID=8881
689         * @param str  the string to escape, may be null
690         * @return a new String, escaped for SQL, <code>null</code> if null string input
691         */
692        public static String escapeSql(String str) {
693            if (str == null) {
694                return null;
695            }
696            return StringUtils.replace(str, "'", "''");
697        }

因此，您可以通过简单地调用String#replace轻松地替换该方法.

So you could easily replace the method with a simple call to String#replace.

但是，有一种方法被删除的原因.这真是半生半熟，我想不出为什么要使用它的一个很好的理由.例如，要运行JDBC查询，您可以并且应该使用绑定变量，而不是尝试插值和转义字符串文字.

However, there is a reason that the method was removed. It was really half-baked and I cannot think of a good reason why you would want to use it. To run JDBC queries for example, you can and should use bind variables instead of trying to interpolate and escape string literals.

这篇关于从commons.lang迁移StringEscapeUtils.escapeSql的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！