Query query = session.createQuery("from Secret where username=?");
query.setParameter(0, username);
//Query query = session.createQuery("from Secret where username=:username");PreparedStatement updateSales =
conn.prepareStatement(" update goods set sales = ? where good_name like ?");
updateSales.setInt(1, 75);
updateSales.setString(2, "喜之郎果冻");
updateSales.executeUpdate();核心:能用#就不用$
select * from news where tile like concat('%',#{title},'%')Codec oracleCodec = new OracleCodec();
String query = "select name from users where id = " + ESAPI.encoder().encoderForSQL(oracleCodec,userId);
Statement stmt = conn.createStatement(query);Codec mysqlCodec = new MySQLCodec(MySQLCodec.ANSI_MODE);ANSI模式下,对单引号进行转义,对双引号进行过滤
private String encodeCharacterANSI(Character c){
if(c == '\'')
return "\'\'";
if(c == '\"')
return "";
return "" + c;
}Codec mysqlCodec = new MySQLCodec(MySQLCodec.MYSQL_MODE);MYSQL模式通过在字符前面加反斜杠字符来进行转义
<h6>其它</h6>ESAPI提供了OracleCodec,MySQLCodec, DB2Codec,[MSSQLCodec, PgSQLCodec],在使用时都是先实例化,再由ESAPI.encoder().encoderForSQL进行过滤/转义操作