@Test public void testQuoteWithBuilder() { StringBuilder builder = new StringBuilder(); DatabaseUtils.appendEscapedSQLString(builder, "foobar"); assertThat(builder.toString()).isEqualTo("'foobar'"); builder = new StringBuilder(); DatabaseUtils.appendEscapedSQLString(builder, "Blundell's"); assertThat(builder.toString()).isEqualTo("'Blundell''s'"); } }
/** * Append a chunk to the WHERE clause of the query. All chunks appended are surrounded * by parenthesis and ANDed with the selection passed to {@link #query}. The final * WHERE clause looks like: * * WHERE (<append chunk 1><append chunk2>) AND (<query() selection parameter>) * * @param inWhere the chunk of text to append to the WHERE clause. it will be escaped * to avoid SQL injection attacks */ public void appendWhereEscapeString(String inWhere) { if (mWhereClause == null) { mWhereClause = new StringBuilder(inWhere.length() + 16); } if (mWhereClause.length() == 0) { mWhereClause.append('('); } DatabaseUtils.appendEscapedSQLString(mWhereClause, inWhere); }
/** * Appending the LIKE operator clause. * * @param expr the former operand. * @return this statement. */ public Statement like(String expr) { statement.append(" LIKE "); appendEscapedSQLString(statement, expr); return this; }
/** * A safe way to appending a value if instance of {@link String}, include quoting the String value. * In order to preventing SQL injection, also escaping that String value which may contain single quotes. * <p/> * <strong>Note:</strong> you can wrapping a String as {@link UnescapeString} to avoiding this behaviors. * * @param statement the StringBuilder that the SQL statement will be appended to. * @param value the raw value to be append, would translate to String["null"] if being <code>null</code>. */ protected void append(StringBuilder statement, Object value) { if (value instanceof String) { appendEscapedSQLString(statement, value.toString()); } else { statement.append(value); } }
/** * Append a chunk to the WHERE clause of the query. All chunks appended are surrounded * by parenthesis and ANDed with the selection passed to {@link #query}. The final * WHERE clause looks like: * * WHERE (<append chunk 1><append chunk2>) AND (<query() selection parameter>) * * @param inWhere the chunk of text to append to the WHERE clause. it will be escaped * to avoid SQL injection attacks */ public void appendWhereEscapeString(String inWhere) { if (mWhereClause == null) { mWhereClause = new StringBuilder(inWhere.length() + 16); } if (mWhereClause.length() == 0) { mWhereClause.append('('); } DatabaseUtils.appendEscapedSQLString(mWhereClause, inWhere); }
/** * Append a chunk to the WHERE clause of the query. All chunks appended are surrounded * by parenthesis and ANDed with the selection passed to {@link #query}. The final * WHERE clause looks like: * * WHERE (<append chunk 1><append chunk2>) AND (<query() selection parameter>) * * @param inWhere the chunk of text to append to the WHERE clause. it will be escaped * to avoid SQL injection attacks */ public void appendWhereEscapeString(String inWhere) { if (mWhereClause == null) { mWhereClause = new StringBuilder(inWhere.length() + 16); } if (mWhereClause.length() == 0) { mWhereClause.append('('); } DatabaseUtils.appendEscapedSQLString(mWhereClause, inWhere); }
DatabaseUtils.appendEscapedSQLString(filter, partUri.getLastPathSegment());
} else if (UriUtils.hasParent(uri)) { StringBuilder escapedWhere = new StringBuilder(); DatabaseUtils.appendEscapedSQLString(escapedWhere, UriUtils.getParentId(uri)); String where = UriUtils.getParentColumnName(uri) + ID + "=" + escapedWhere.toString(); logger.logAppendWhere(where);