Ormlite escape string method?

2019-03-27 05:30发布

问题:

Is there a native way of escaping strings for Ormlite for Android?

For example, if I want to supply a string: ormlite's escape func, it needs to be supplied as ormlite\'s escape func.

TestDao.queryForFirst(TestDao.queryBuilder().where().like("stats", stats)
    .prepare())

I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?

If not, what are the ways to do it?

Thank you!

回答1:

I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?

This is a FAQ. The proper way to do this is to use a SelectArg argument so the SQL can use a ? type of construct. Here's another question talking about this.

SelectArg selectArg = new SelectArg(stats);
TestDao.queryForFirst(
    TestDao.queryBuilder().where().like("stats", selectArg).prepare());

Here's the documentation on the select-arg functionality.

Edit:

As @Moritz points out, if you are actually updating the database, you can also use the SelectArg with the UpdateBuilder:

SelectArg arg = new SelectArg("Some value");
updateBuilder.updateColumnValue(MY_COLUMN, arg);