Is there a plan to support sql escape? about unbescape HOT 5 CLOSED

The problem is... how would you define SQL escape? I suppose you mean doing the equivalent to what a PreparedStatement does to a query's arguments, but.. can this be done in a database-vendor independent manner?

from unbescape.

Yes, as you say, mean doing prevent sql injection. Apache Commons-lang2 has a method StringEscapeUtils.escapeSql(), but has been removed from the API in Commons-lang3, the reason is “This method was not of much use as it was only escaping single quotes”. see: http://java.dzone.com/articles/commons-lang-3-improved-and-powerful-StringEscapeUtils. Do you have any good solutions to prevent sql injection?

from unbescape.

Well... obviously, using PreparedStatements. Or manually escaping SQL in a way understandable by your DBMS.

The problem with this escaping is that, in order to support it, it should be complete, not partial. So I understand the reasons why they removed it from Commons-Lang. Performing partial escaping operations is always a source of errors, because it gives the developer a false sense of security and might render the result equally invalid because the specific DBMS might need other chars to be escaped...

from unbescape.

You should prefer prepared statements, or use ORMs with a criteria API. This avoids the need to escape and allows the RDBMS to do some optimizations.

from unbescape.

Thank you all, I understand. I find a complex solution depends DBMS. Druid provides WallFilter, it is based on the SQL semantic analysis to defense SQL injection attacks, see here : https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter

from unbescape.