开发者

check out my sql query filter method,is this safe?

开发者 https://www.devze.com 2023-04-02 11:10 出处：网络

String searchSQLFilter(String keyword){ for(String filter:new String[]{\"|\",\"&\",\"*\",\"%\",\";\",\"-\",\"+\",\",\",\"<\",\">\"}){

相关专题：sql

String searchSQLFilter(String keyword){         
    for(String filter:new String[]{"|","&","*","%",";","-","+",",","<",">"}){
        keyword=keyword.replaceAll("\\Q"+filter开发者_StackOverflow中文版+"\\E", ""); 
    }
    keyword=keyword.replaceAll("'","\\\\'");
    return keyword; 
}

sql query:

select * from table where title like '%"+searchSQLFilter(keyword)+"%'

I want to know,searchSQLFilter method is safe?

btw: I know this is not good,using PreparedStatement is better

Sorry, no, it isn't.

Creating your own escaping function is a bad idea: you won't catch all the cases. Vendor-built escaping functions have been tried and tested by millions of users, and patched where necessary.

Example: did you take character encoding into account?

Not a final answer... a blacklist approach can only be safe at a given point in time. You're missing the complex ones like union. At least ' should be included in the blacklist as well.

As you already mentioned - prepared statements are better!