db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Tilsted <til...@daimi.au.dk>
Subject Re: What is the best way to escape input to SqlEnum.CUSTOM?
Date Mon, 10 Mar 2008 20:14:53 GMT
Aha thank you. I knew it was there someware I could just not find it.

Greg Monroe wrote:
> Yes, you're right.  I missed a test up the line for
> Custom.  So, the answer is to use the static method:
>
> SQLExpression.quoteAndEscapeText(String, DB) 
>
> on the applicable parts of your custom criteria.
> This will return a String quoted for the specific 
> DB type.  E.g.:
>
> String likePart = "%"+someText+"%";
> DB db = Torque.getDB(TablePeer.DATABASE_NAME);
> likePart = SqlExpression.quoteAndEscapeString(
>        likePart, db);
> String customPart = "myField like " + likePart;
>
>
>   
>> -----Original Message-----
>> From: Martin Tilsted [mailto:tiller@daimi.au.dk]
>> Sent: Friday, March 07, 2008 1:55 PM
>> To: Apache Torque Users List
>> Subject: Re: What is the best way to escape input to SqlEnum.CUSTOM?
>>
>> Greg Monroe wrote:
>>     
>>> As long as the Criteria value object is a String, you don't
>>> have to worry. The code should be calling the following
>>> method:
>>>
>>> SqlExpression.quoteAndEscapeText(String rawText, DB db)
>>>
>>> This surrounds the value with the correct quotes and
>>> escapes stuff based on the type of DB.
>>>
>>>       
>> But that can't be work for SqlEnum.CUSTOM because what if the query is
>> something like
>>
>> String customPart="myField like '%" + someText + "%'";
>> where someText is the user input.
>>
>> Doing a criteria.add("Table",customPart,SqlEnum.CUSTOM);
>> If it excape the entire query then the result will be wrong, because
>>     
> it
>   
>> will also escape the '  before the %, and that should not be escaped.
>>
>> Which is why I am pretty sure I need to escape the someText string
>> before i use it as part of a query with SqlEnum.CUSTOM.
>> (I know the query can be made without SqlEnum.CUSTOM it's just an
>> example).
>>     
>>>> -----Original Message-----
>>>> From: Martin Tilsted [mailto:tiller@daimi.au.dk]
>>>> Sent: Friday, March 07, 2008 1:01 PM
>>>> To: Apache Torque Users List
>>>> Subject: What is the best way to escape input to SqlEnum.CUSTOM?
>>>>
>>>> What is the best way to escape a (user input) value that is used as
>>>> part
>>>> of a SqlEnum.CUSTOM query?
>>>>
>>>> Is there a method that will escape strings based on the
>>>>         
> requirements
>   
>>> of
>>>
>>>       
>>>> the current open database connection?
>>>>
>>>> Martin
>>>>
>>>>         
>
>   


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message