Comments (5)
The problem is... how would you define SQL escape? I suppose you mean doing the equivalent to what a PreparedStatement
does to a query's arguments, but.. can this be done in a database-vendor independent manner?
from unbescape.
Yes, as you say, mean doing prevent sql injection. Apache Commons-lang2 has a method StringEscapeUtils.escapeSql(), but has been removed from the API in Commons-lang3, the reason is “This method was not of much use as it was only escaping single quotes”. see: http://java.dzone.com/articles/commons-lang-3-improved-and-powerful-StringEscapeUtils. Do you have any good solutions to prevent sql injection?
from unbescape.
Well... obviously, using PreparedStatement
s. Or manually escaping SQL in a way understandable by your DBMS.
The problem with this escaping is that, in order to support it, it should be complete, not partial. So I understand the reasons why they removed it from Commons-Lang. Performing partial escaping operations is always a source of errors, because it gives the developer a false sense of security and might render the result equally invalid because the specific DBMS might need other chars to be escaped...
from unbescape.
You should prefer prepared statements, or use ORMs with a criteria API. This avoids the need to escape and allows the RDBMS to do some optimizations.
from unbescape.
Thank you all, I understand. I find a complex solution depends DBMS. Druid provides WallFilter, it is based on the SQL semantic analysis to defense SQL injection attacks, see here : https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter
from unbescape.
Related Issues (20)
- Parse error HOT 4
- More finer level for escape (Java) HOT 5
- XML attribute escaping / unescaping HOT 4
- org.unbescape.uri.UriEscape should supports escape ' HOT 1
- Add ampersand to level-1 escaping for JSON, JavaScript and CSS literals HOT 1
- Converting escaped readers to unescaped readers (or vice versa) HOT 4
- unescapeHtml does not replace   with white space HOT 2
- Add overloaded method JsonEscape.escapeJson(String,Writer)
- CSS unescape of slash then newline HOT 2
- Set compilation baseline to Java 6 HOT 1
- Add a JPMS automatic module name HOT 2
- Support JavaScript line continuations HOT 1
- URI escaping only disallowed chars
- Possibility to use java.nio.charset.Charset instance. HOT 1
- Special HtmlEscapeLevel level that does not escape Level 1 characters
- Possible Exception on unescaping invalid entity
- Filter out invalid HTML characters in HtmlEscaping
- Unescaping lt, gt and amp
- HTML5 escaping for Æ has no trailing semicolon HOT 1
- ArrayIndexOutOfBoundsException for numeric character references that exceed Java's `Integer.MAX_VALUE`. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unbescape.