I used javax.jdo.Query as here JDO for Google App Engine: escaping quotes . However, my single-quoted (') query string continues to explode.
Query query = pm.newQuery("select from " + Book.class.getName() + " where mArtist== '"+ artist + "' && mTitle=='" + title + "'");
Here is the exception
javax.jdo.JDOUserException: Portion of expression could not be parsed: 't Give Up' org.datanucleus.store.query.QueryCompilerSyntaxException: Portion of expression could not be parsed: 't Give Up'
Here is the request .toString ()
SELECT FROM com.example.Book WHERE mArtist== 'Famous Writer' && mTitle=='We Won''t Give Up'
Yeh, I even escaped a single quote (') with a double single quote on appengine docs
string literal, like a single quote string. Characters with a single quote in the string must be escaped as ``. For example: "Joe Diner"
Building a query by concatenating strings is almost always risky, even if SQL Injection attacks are not possible. (They are not with GAE.)
See http://code.google.com/appengine/docs/java/datastore/jdo/queries.html#Introducing_Queries and notice the bit in "parameter overriding".
The sample code in the document covers only one parameter change. Here is a bit more.
Query query = pm.newQuery(Book.class); query.setFilter("mArtist == artist && mTitle == title"); query.declareParameters("String artist,String title"); List<Book> list = (List<Book>) query.execute("Famous Writer","We Won't Give Up");
Some questions to read:
How to dynamically create JDO requests in several ways
Google Datastore issue requesting * User type *