Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ormlite escape string method?

Is there a native way of escaping strings for Ormlite for Android?

For example, if I want to supply a string: ormlite's escape func, it needs to be supplied as ormlite\'s escape func.

TestDao.queryForFirst(TestDao.queryBuilder().where().like("stats", stats)
    .prepare())

I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?

If not, what are the ways to do it?

Thank you!

like image 345
the5threvolution Avatar asked Jun 19 '11 05:06

the5threvolution


1 Answers

I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?

This is a FAQ. The proper way to do this is to use a SelectArg argument so the SQL can use a ? type of construct. Here's another question talking about this.

SelectArg selectArg = new SelectArg(stats);
TestDao.queryForFirst(
    TestDao.queryBuilder().where().like("stats", selectArg).prepare());

Here's the documentation on the select-arg functionality.

Edit:

As @Moritz points out, if you are actually updating the database, you can also use the SelectArg with the UpdateBuilder:

SelectArg arg = new SelectArg("Some value");
updateBuilder.updateColumnValue(MY_COLUMN, arg);
like image 111
Gray Avatar answered Oct 05 '22 15:10

Gray