问题描述

我已经使用了javax.jdo.Query，就像这里。然而，我的单引号（'）查询字符串不断爆炸。

 查询查询= pm.newQuery（select from+ Book.class.getName（）+where mArtist ==' + artist +'&& mTitle =='+ title +'）; 
  

以下是例外情况

 > javax.jdo.JDOUserException：部分表达式无法解析：'放弃'
 org.datanucleus.store.query.QueryCompilerSyntaxException：部分表达式无法解析：'t放弃'
  

以下是这个query.toString（）

  SELECT FROM com.example.Book WHERE mArtist =='Famous Writer'&& mTitle =='我们不会放弃'
  

我甚至已经逃脱了单引号（'），每个appengine文档包含双单引号。

通过字符串连接构建查询几乎总是有风险的要做的事情，即使SQL注入攻击不可能。 （他们不在GAE中。）

请参阅，并注意参数替换 。

I have used javax.jdo.Query like here JDO for Google App Engine: escaping quotes. Yet, my query string with single quote (') keep getting exploded.

Query query = pm.newQuery("select from " + Book.class.getName() + " where mArtist== '"+ artist + "' &&  mTitle=='" + title + "'");

Here is the exception

javax.jdo.JDOUserException: Portion of expression could not be parsed: 't Give Up'
org.datanucleus.store.query.QueryCompilerSyntaxException: Portion of expression could not be parsed: 't Give Up'

Here is this query.toString()

SELECT FROM com.example.Book WHERE mArtist== 'Famous Writer' &&  mTitle=='We Won''t Give Up'

Yeh, I have even escaped the single quote(') with double single quote per appengine docs

a str literal, as a single-quoted string. Single-quote characters in the string must be escaped as ''. For example: 'Joe''s Diner'

Building a query by string concatenation is almost always a risky thing to do, even when SQL Injection attacks aren't possible. (They aren't with GAE.)

See http://code.google.com/appengine/docs/java/datastore/jdo/queries.html#Introducing_Queries and note the bit on "parameter substitution".

这篇关于appengine数据存储查询转义单引号（'）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！