How to avoid dynamically generated String values in SQL2 JCR query?
Suppose I have a JCR 2 query string that is done like this:
String sql2Query = "SELECT * FROM [cq:PageContent] " +
"WHERE [aProperty] <> \" + aValue + "\"";
Are there helper methods that I can avoid aValue
?
By the way, I already know that in SQL2 we can use placeholders for queries and let the platform take care of escaping the values for us, but if I had to create this query dynamically, how can I avoid aValue
before preventing SQL injection and also build broken requests?
source to share
Yes, you can use placeholders. Even dynamically generated queries can use placeholders.
As far as SQL-2 is concerned, you need to use single quotes, not double quotes. Example:
SELECT * FROM [cq:PageContent]
WHERE [aProperty] <> 'Joe' Taxi'
You only need to escape single quotes by using a single quotes output character:
String aValue = "Joe Taxi";
String sql2Query = "SELECT * FROM [cq:PageContent] " +
"WHERE [aProperty] <> '" + aValue.replaceAll("'", "''") + "'";
If you want to use XPath, you can use single quotes or double quotes, but single quotes are usually used (same as in SQL-2). XPath queries are not supported at this time.
source to share
Apparently it org.apache.jackrabbit.util.Text
does escapeIllegalJcrChars
. Will it help?
More information: https://jackrabbit.apache.org/api/1.4/org/apache/jackrabbit/util/Text.html
source to share