How to avoid dynamically generated String values in SQL2 JCR query?

Question

How to avoid dynamically generated String values in SQL2 JCR query?

Suppose I have a JCR 2 query string that is done like this:

String sql2Query = "SELECT * FROM [cq:PageContent] " +
                   "WHERE [aProperty] <> \" + aValue + "\"";

Are there helper methods that I can avoid aValue

?

By the way, I already know that in SQL2 we can use placeholders for queries and let the platform take care of escaping the values for us, but if I had to create this query dynamically, how can I avoid aValue

before preventing SQL injection and also build broken requests?

+3

java jcr jackrabbit jcr-sql2

Behrang 02 dec. 14 at 12:23

source to share

2 answers

Apparently it org.apache.jackrabbit.util.Text

does escapeIllegalJcrChars

. Will it help?

More information: https://jackrabbit.apache.org/api/1.4/org/apache/jackrabbit/util/Text.html

0

bashaus Apr 19 16 at 15:03

source to share

Thomas Mueller · Accepted Answer · 2014-12-02T12:30:25+0000

Yes, you can use placeholders. Even dynamically generated queries can use placeholders.

As far as SQL-2 is concerned, you need to use single quotes, not double quotes. Example:

SELECT * FROM [cq:PageContent]
WHERE [aProperty] <> 'Joe' Taxi'

You only need to escape single quotes by using a single quotes output character:

String aValue = "Joe Taxi";
String sql2Query = "SELECT * FROM [cq:PageContent] " +
    "WHERE [aProperty] <> '" + aValue.replaceAll("'", "''") + "'";

If you want to use XPath, you can use single quotes or double quotes, but single quotes are usually used (same as in SQL-2). XPath queries are not supported at this time.

How to avoid dynamically generated String values ​​in SQL2 JCR query?

More articles:

How to avoid dynamically generated String values in SQL2 JCR query?