JDO for Google App Engine: escaping quotes

2019-04-29 17:03发布

How do I escape parameters of queries in JDO (Google App Engine)?

For example, how do I make the next snippet safe, if the variable name may contain unsafe chars as single quotes (')

PersistenceManager pm = ...;
String query = "select from Person where name='"+name+"'";
List<Shortened> shortened = (List<Shortened>) pm.newQuery(query).execute();

标签： security google-app-engine jdo jdoql

1条回答

疯言疯语

2楼-- · 2019-04-29 17:05

Use query parameters instead, it's a much safer than including the values in the query itself. Here is an example from the GAE documentation:

Query query = pm.newQuery("select from Employee " +
                          "where lastName == lastNameParam " +
                          "order by hireDate desc " +
                          "parameters String lastNameParam");

List<Employee> results = (List<Employee>) query.execute("Smith");

0人赞添加讨论(0) 举报

JDO for Google App Engine: escaping quotes

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间