Hi Thomas, Thanks for the reply. Out of curiosity, doesn't Jackrabbit have any helper classes (e.g. QueryEscapeUtils) that we can use?
Best regards, Behrang http://www.behrang.org On Tue, Dec 2, 2014 at 6:37 PM, Thomas Mueller <muel...@adobe.com> wrote: > Hi, > > Yes, you can use placeholders. Even dynamically created queries can use > placeholders. > > As for SQL-2, you need to use single quotes, not double quotes. Example: > > SELECT * FROM [cq:PageContent] > WHERE [aProperty] <> 'Joe''s Taxi' > > You only need to escape single quotes, using a single quote escape > character: > > String aValue = "Joe's Taxi"; > String sql2Query = "SELECT * FROM [cq:PageContent] " + > "WHERE [aProperty] <> '" + aValue.replaceAll("'", "''") + "'"; > > > If you want to use XPath, you can use single quotes or double quotes, but > usually single quotes are used as well (the same as in SQL-2). XPath > queries don't support placeholders currently. > > > Regards, > Thomas > > > > On 02/12/14 01:39, "Behrang Saeedzadeh" <behran...@gmail.com> wrote: > > >Let's pretend I have a JCR 2 query string that is made like this: > > > >String sql2Query = "SELECT * FROM [cq:PageContent] " + > > "WHERE [aProperty] <> \" + aValue + "\""; > > > >Are there any helper methods using which I can escape aValue? > > > >By the way, I already know that in SQL2 we can use placeholders in queries > >and let the framework take care of escaping of values for us, but if I > >were > >to create this query dynamically like this, how can I escape aValueto > >prevent SQL injection as well as construction of broken queries? > > > >Thanks in advance. > > > > > >Best regards, > >Behrang > >http://www.behrang.org > >
