Skip to content Skip to sidebar Skip to footer
Home / Android / Escaping / Ormlite / Sql / String

Ormlite Escape String Method?

Post a Comment
Is there a native way of escaping strings for Ormlite for Android? For example, if I want to supply a string: ormlite's escape func, it needs to be supplied as ormlite\'s escape fu

Solution 1:

I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?

This is a FAQ. The proper way to do this is to use a SelectArg argument so the SQL can use a ? type of construct. Here's another question talking about this.

SelectArg selectArg =new SelectArg(stats);
TestDao.queryForFirst(
    TestDao.queryBuilder().where().like("stats", selectArg).prepare());

Here's the documentation on the select-arg functionality.

Edit:

As @Moritz points out, if you are actually updating the database, you can also use the SelectArg with the UpdateBuilder:

SelectArgarg=newSelectArg("Some value");
updateBuilder.updateColumnValue(MY_COLUMN, arg);

Post a Comment for "Ormlite Escape String Method?"