I have seen many related question, but none of them is exactly my problem.
General question: where exactly is specified how the things get escaped in Hibernate, in particular for Grails GORM?
Particular problem:
I want to execute this:
"WHERE extractValue(field, '//value[@my_attribute=\""+localeStr+"\"]')"
You can notice, the localeStr is not escaped, and included in another string of string. How can I escape this, if possible with a parameter (something like :parameter)?
Thanks.
Here, I believe, in "bind parameters" section . Plus general Groovy escaping.
Though, sorry, it's not clear - escape what? Do you need localeStr
to contain a parameter, or opposite, to sanitize out any possible parameter?
Removing ":"
and "?"
should do, as for me. Though, it's a bad idea to concatenate an untrusted String
directly into a query anyway.
The best approach to sanitize a String
parameter is to, er, pass it as a parameter:
DomainClass.findAll(
"WHERE extractValue(field, '//value[@my_attribute=:attrValue]',
[attrValue: localeStr])")
See findAll() doc .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.