Ormlite逃避字符串的方法? [英] Ormlite escape string method?
问题描述
有没有转义Ormlite字符串的Android原生的方式?
例如,如果我想提供一个字符串:ormlite的逃生FUNC,它需要提供的ormlite \的逃生FUNC
TestDao.queryForFirst(TestDao.queryBuilder()。其中,()。象(统计,统计数据)
。prepare())
我试着使用UpdateBuilder的escapeValue方法,但它只是提出了以下变化: ormlite的逃命FUNC。它增加了单引号来开始和语句的结束。是否有逃逸字符串是SQL注入原生支持安全吗?
如果不是,有什么办法做到这一点?
感谢您!
我试着使用UpdateBuilder的escapeValue方法,但它只是提出了如下的变化:ormlite的逃生FUNC。它增加了单引号来开始和语句的结束。是否有逃逸字符串是SQL注入原生支持安全吗?
这是一个常见问题。正确的方法做,这是使用 SelectArg
参数使SQL可以使用?类型的构造。这里还有一个<一个href="http://stackoverflow.com/questions/5280227/sql-exception-$p$pparing-query-with-ormlite/5284144#5284144">question说起这个。
SelectArg selectArg =新SelectArg(统计);
TestDao.queryForFirst(
。TestDao.queryBuilder(),其中()一样(统计,selectArg)prepare());
下面是在选择带参数的功能的文档:
这是关于这个ORMLite用户列表上的一些讨论:
的http://groups.google.com/group/ormlite-dev/browse_thread/thread/71d07202404f97e7
的http://groups.google.com/group/ormlite-user/browse_thread/thread/7ced95c474031e3c
编辑:
由于@Moritz指出,如果你实际上是在更新数据库,也可以使用 SelectArg
与 UpdateBuilder
:
SelectArg ARG =新SelectArg(一些价值);
updateBuilder.updateColumnValue(MY_COLUMN,ARG);
Is there a native way of escaping strings for Ormlite for Android?
For example, if I want to supply a string: ormlite's escape func, it needs to be supplied as ormlite\'s escape func.
TestDao.queryForFirst(TestDao.queryBuilder().where().like("stats", stats)
.prepare())
I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?
If not, what are the ways to do it?
Thank you!
I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?
This is a FAQ. The proper way to do this is to use a SelectArg
argument so the SQL can use a ? type of construct. Here's another question talking about this.
SelectArg selectArg = new SelectArg(stats);
TestDao.queryForFirst(
TestDao.queryBuilder().where().like("stats", selectArg).prepare());
Here's the documentation on the select-arg functionality:
And here's some discussions about this on the ORMLite user list:
http://groups.google.com/group/ormlite-dev/browse_thread/thread/71d07202404f97e7
http://groups.google.com/group/ormlite-user/browse_thread/thread/7ced95c474031e3c
Edit:
As @Moritz points out, if you are actually updating the database, you can also use the SelectArg
with the UpdateBuilder
:
SelectArg arg = new SelectArg("Some value");
updateBuilder.updateColumnValue(MY_COLUMN, arg);
这篇关于Ormlite逃避字符串的方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!