Google App Engine的JDO：转义引号 [英] JDO for Google App Engine: escaping quotes

问题描述

如何在JDO（Google App Engine）中跳过查询的参数？

例如，如果变量名称可能会使安全的下一个片段安全包含不安全的字符作为单引号（'）

  PersistenceManager pm = ...; 
 String query =select from name where name ='+ name +'; 
列表<缩短>缩短=（List< Shortened>）pm.newQuery（query）.execute（）; 
  

解决方案

改用查询参数，查询本身的值。以下是GAE文档中的一个示例：

 查询查询= pm.newQuery（从员工中选择+ 
 where lastName == lastNameParam+ 
by hireDate desc+ 
parameters String lastNameParam）; 
 
列表<员工> results =（List< Employee>）query.execute（Smith）; 
  

How do I escape parameters of queries in JDO (Google App Engine)?

For example, how do I make the next snippet safe, if the variable name may contain unsafe chars as single quotes (')

PersistenceManager pm = ...;
String query = "select from Person where name='"+name+"'";
List<Shortened> shortened = (List<Shortened>) pm.newQuery(query).execute();

解决方案

Use query parameters instead, it's a much safer than including the values in the query itself. Here is an example from the GAE documentation:

Query query = pm.newQuery("select from Employee " +
                          "where lastName == lastNameParam " +
                          "order by hireDate desc " +
                          "parameters String lastNameParam");

List<Employee> results = (List<Employee>) query.execute("Smith");

这篇关于Google App Engine的JDO：转义引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！