JDO for Google App Engine: quotes escaping

Question

JDO for Google App Engine: quotes escaping

How to avoid query parameters in JDO (Google App Engine)?

For example, how to make the following snippet safe if the variable name may contain unsafe characters like single quotes (')

PersistenceManager pm = ...; String query = "select from Person where name='"+name+"'"; List<Shortened> shortened = (List<Shortened>) pm.newQuery(query).execute();

+4

security google-app-engine jdo jdoql

flybywire 30 sept '09 at 9:21

source share

1 answer

Todd owner · Accepted Answer · 2009-09-30T09:38:09+0000

Use query parameters instead, it is much safer than including values in the query itself. Here is an example from the GAE documentation:

 Query query = pm.newQuery("select from Employee " + "where lastName == lastNameParam " + "order by hireDate desc " + "parameters String lastNameParam"); List<Employee> results = (List<Employee>) query.execute("Smith");

JDO for Google App Engine: quotes escaping

More articles: