appengine datastore query escaping single quote (&

2019-09-17 05:57发布

站内问答 / Java
924 2 4

I have used javax.jdo.Query like here JDO for Google App Engine: escaping quotes. Yet, my query string with single quote (') keep getting exploded. 

Query query = pm.newQuery("select from " + Book.class.getName() + " where mArtist== '"+ artist + "' &&  mTitle=='" + title + "'");

Here is the exception

javax.jdo.JDOUserException: Portion of expression could not be parsed: 't Give Up' 
org.datanucleus.store.query.QueryCompilerSyntaxException: Portion of expression could not be parsed: 't Give Up'

Here is this query.toString()

SELECT FROM com.example.Book WHERE mArtist== 'Famous Writer' &&  mTitle=='We Won''t Give Up'

Yeh, I have even escaped the single quote(') with double single quote per appengine docs

a str literal, as a single-quoted string. Single-quote characters in the string must be escaped as ''. For example: 'Joe''s Diner'

2条回答
孤傲高冷的网名
2楼-- · 2019-09-17 06:04

The example code in the document only cover a single parameter substitution. Here is a bit more.

Query query = pm.newQuery(Book.class);
query.setFilter("mArtist == artist && mTitle == title");
query.declareParameters("String artist,String title");              
List<Book> list = (List<Book>) query.execute("Famous Writer","We Won't Give Up");

Some SO questions worth reading :

How to dynamically build JDO Queries on multiple parameters

Google Datastore problem with query on *User* type

查看更多
0人赞 添加讨论(0) 举报
3楼-- · 2019-09-17 06:24

Building a query by string concatenation is almost always a risky thing to do, even when SQL Injection attacks aren't possible. (They aren't with GAE.)

See http://code.google.com/appengine/docs/java/datastore/jdo/queries.html#Introducing_Queries and note the bit on "parameter substitution".

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)