I have a special caserequiring that I generate part of a SQL WHERE clause from user supplied input values. I want to prevent any sort of SQL Injection vulnerability. I've come up with the following code:

我有一个特殊情况，要求我从用户提供的输入值生成 SQL WHERE 子句的一部分。我想防止任何类型的 SQL 注入漏洞。我想出了以下代码：

private String encodeSafeSqlStrForPostgresSQL(String str) {

  //Replace all apostrophes with double apostrophes
  String safeStr = str.replace("'", "''");

  //Replace all backslashes with double backslashes
  safeStr = safeStr.replace("\", "\\");

  //Replace all non-alphanumeric and punctuation characters (per ASCII only)
  safeStr = safeStr.replaceAll("[^\p{Alnum}\p{Punct}]", "");

  //Use PostgreSQL's special escape string modifier
  safeStr = "E'" + safeStr + "'";

  return safeStr;
}

Questions:

问题：

• Do you see any issues?
• Can you provide a better solution?
• Are there any existing libraries to help with this?

• 你看到任何问题吗？
• 你能提供更好的解决方案吗？
• 是否有任何现有的图书馆可以帮助解决这个问题？

Notes:

笔记：

• This is a common question on SO and elsewhere, but the only answer I've seen is to always use PreparedStatements. Fwiw, I'm using JasperReports. I want to keep the query inside of JasperReports. The built-in Jasper parameter functions for query parameter handling (including the X{} functions) are not sufficient for what I need to parametrize. I could try creating a custom Jasper QueryExecutor that would allow me to inject my own X{} functions, but that's more complicated than just generating a dynamic SQL where clause with Jasper's $P!{} syntax.

• I looked at the OWASP libraries. They do not have a PostgresSQL codec yet. I looked at the OracleCodecthough and its escaping seemed simplistic. I'm not sure it would be of much helping preventing SQL injection attacks.

• In my code I'm adding the E so as to not be dependent on PostgreSQL's standard_conforming_strings setting. Ideally I wouldn't have to add that and then the function wouldn't have to be PostgreSQL specific. More info: http://www.postgresql.org/docs/9.0/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-ESCAPE.

• 这是 SO 和其他地方的常见问题，但我看到的唯一答案是始终使用 PreparedStatements。Fwiw，我正在使用 JasperReports。我想将查询保留在 JasperReports 中。用于查询参数处理的内置 Jasper 参数函数（包括 X{} 函数）不足以满足我需要参数化的需求。我可以尝试创建一个自定义 Jasper QueryExecutor，它允许我注入我自己的 X{} 函数，但这比仅使用 Jasper 的 $P!{} 语法生成动态 SQL where 子句要复杂。

• 我查看了OWASP 库。他们还没有 PostgresSQL 编解码器。不过，我查看了OracleCodec，它的转义似乎很简单。我不确定这对防止 SQL 注入攻击有多大帮助。

• 在我的代码中，我添加了 E 以便不依赖于 PostgreSQL 的 standard_conforming_strings 设置。理想情况下，我不必添加它，然后该函数就不必特定于 PostgreSQL。更多信息：http: //www.postgresql.org/docs/9.0/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-ESCAPE。

Ideally I would've liked a more generic and robust solution that I knew would be safe and support all possible UTF-8 strings.

理想情况下，我会喜欢一个更通用、更强大的解决方案，我知道它是安全的并且支持所有可能的 UTF-8 字符串。