问题
I have used javax.jdo.Query like here JDO for Google App Engine: escaping quotes. Yet, my query string with single quote (') keep getting exploded.
Query query = pm.newQuery("select from " + Book.class.getName() + " where mArtist== '"+ artist + "' && mTitle=='" + title + "'");
Here is the exception
javax.jdo.JDOUserException: Portion of expression could not be parsed: 't Give Up'
org.datanucleus.store.query.QueryCompilerSyntaxException: Portion of expression could not be parsed: 't Give Up'
Here is this query.toString()
SELECT FROM com.example.Book WHERE mArtist== 'Famous Writer' && mTitle=='We Won''t Give Up'
Yeh, I have even escaped the single quote(') with double single quote per appengine docs
a str literal, as a single-quoted string. Single-quote characters in the string must be escaped as ''. For example: 'Joe''s Diner'
回答1:
Building a query by string concatenation is almost always a risky thing to do, even when SQL Injection attacks aren't possible. (They aren't with GAE.)
See http://code.google.com/appengine/docs/java/datastore/jdo/queries.html#Introducing_Queries and note the bit on "parameter substitution".
回答2:
The example code in the document only cover a single parameter substitution. Here is a bit more.
Query query = pm.newQuery(Book.class);
query.setFilter("mArtist == artist && mTitle == title");
query.declareParameters("String artist,String title");
List<Book> list = (List<Book>) query.execute("Famous Writer","We Won't Give Up");
Some SO questions worth reading :
How to dynamically build JDO Queries on multiple parameters
Google Datastore problem with query on *User* type
来源:https://stackoverflow.com/questions/9552064/appengine-datastore-query-escaping-single-quote