java 从 commons.lang 迁移 StringEscapeUtils.escapeSql
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/32096614/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Migrating StringEscapeUtils.escapeSql from commons.lang
提问by Michael
I have started to migrate commons.lang 2 to commons.lang3.
我已经开始将 commons.lang 2 迁移到 commons.lang3。
According to https://commons.apache.org/proper/commons-lang/article3_0.html
根据 https://commons.apache.org/proper/commons-lang/article3_0.html
StringEscapeUtils.escapeSql
This was a misleading method, only handling the simplest of possible SQL cases. >As SQL is not Lang's focus, it didn't make sense to maintain this method.
StringEscapeUtils.escapeSql
这是一种误导性的方法,只处理最简单的可能的 SQL 情况。> 由于 SQL 不是 Lang 的重点,因此维护此方法没有意义。
Understand it but what is recommended to use instead of it?
理解它但建议使用什么来代替它?
Clarification
澄清
Can you recommend a third party that perform simple escapeSql similar to StringEscapeUtils.escapeSql?
你能推荐一个第三方来执行类似于 StringEscapeUtils.escapeSql 的简单escapeSql吗?
回答by Thilo
At present, this method only turns single-quotes into doubled single-quotes ("McHale's Navy" => "McHale''s Navy").
目前,这种方法只能将单引号变成双引号(“McHale's Navy” => “McHale's Navy”)。
This was the method code:
这是方法代码:
/**
675 * <p>Escapes the characters in a <code>String</code> to be suitable to pass to
676 * an SQL query.</p>
677 *
678 * <p>For example,
679 * <pre>statement.executeQuery("SELECT * FROM MOVIES WHERE TITLE='" +
680 * StringEscapeUtils.escapeSql("McHale's Navy") +
681 * "'");</pre>
682 * </p>
683 *
684 * <p>At present, this method only turns single-quotes into doubled single-quotes
685 * (<code>"McHale's Navy"</code> => <code>"McHale''s Navy"</code>). It does not
686 * handle the cases of percent (%) or underscore (_) for use in LIKE clauses.</p>
687 *
688 * see http://www.jguru.com/faq/view.jsp?EID=8881
689 * @param str the string to escape, may be null
690 * @return a new String, escaped for SQL, <code>null</code> if null string input
691 */
692 public static String escapeSql(String str) {
693 if (str == null) {
694 return null;
695 }
696 return StringUtils.replace(str, "'", "''");
697 }
So you could easily replace the method with a simple call to String#replace.
因此,您可以通过简单的调用轻松替换该方法String#replace。
However, there is a reason that the method was removed. It was really half-baked and I cannot think of a good reason why you would want to use it. To run JDBC queries for example, you can and should use bind variables instead of trying to interpolate and escape string literals.
但是,删除该方法是有原因的。它真的是半生不熟,我想不出你想要使用它的充分理由。例如,要运行 JDBC 查询,您可以并且应该使用绑定变量,而不是尝试插入和转义字符串文字。
回答by Matja? Pe?an
In case you are using a JDBC connection, preparing a statement with parameters like:
如果您使用的是 JDBC 连接,请准备一个带有如下参数的语句:
con.prepareStatement("INSERT INTO table1 VALUES (?,?)");
pstmt.setInt(1, 200);
pstmt.setString(2, "Julie");
pstmt.executeUpdate();
You do not need to escape any elements that you insert using the functions on a prepared statement. Those are escaped automatically.
您不需要使用预准备语句中的函数对您插入的任何元素进行转义。那些是自动转义的。
This has been answered before in: Java - escape string to prevent SQL injection
这已经在之前回答过: Java - 转义字符串以防止 SQL 注入
