I am aware that using Prepared Statements is the best way to protect against SQL Injection (and syntax errors due to unescaped characters in unchecked input).

我知道使用 Prepared Statements 是防止 SQL 注入（以及由于未检查输入中的未转义字符导致的语法错误）的最佳方法。

My current situation is that I am writing some Java code to move data from one third party application to another. The destination application uses a proprietary version of Sybase and so whilst I do have the JTDSJDBC driver PreparedStatementfails, as the driver uses temporary stored procedures which aren't supported in this particular flavour of the database. So I only have Statementto work with and I have no control over the user input as it is coming from another application.

我目前的情况是我正在编写一些 Java 代码来将数据从一个第三方应用程序移动到另一个应用程序。目标应用程序使用 Sybase 的专有版本，因此虽然我确实有JTDSJDBC 驱动程序PreparedStatement失败，因为该驱动程序使用临时存储过程，在这种特定类型的数据库中不受支持。所以我只需要Statement使用并且我无法控制用户输入，因为它来自另一个应用程序。

There is this similar questionbut that is focused on fixing the problem where you have a parameter such as a table which cannot be handled via a Prepared Statement. My case is different and hopefully simpler, since I have straightforward SQL statements. I would like to know if there is a best practice for replicating something like the following without using PreparedStatement:

有一个类似的问题，但重点是解决您有一个参数（例如无法通过准备好的语句处理的表）的问题。我的情况不同，希望更简单，因为我有简单的 SQL 语句。我想知道是否有最佳实践可以在不使用的情况下复制以下内容PreparedStatement：

PreparedStatement statement = connection.prepareStatement("UPDATE mytable SET value=? WHERE id=?");
statement.setInt(1, getID());
statement.setString(2,userInput);
statement.executeUpdate();

So I guess the problem is how can I sanitise the user input reliably? I can try to do that myself from scratch but this seems like a bad idea as there is likely to be at least one edge case I'd miss, so I was hoping there was a library out there that would do that for me, but I haven't been able to find one so far.

所以我想问题是如何可靠地清理用户输入？我可以尝试自己从头开始，但这似乎是一个坏主意，因为我可能会错过至少一个边缘情况，所以我希望那里有一个图书馆可以为我做到这一点，但是到目前为止我还没有找到一个。