Ormlite escape string method?
I tried using UpdateBuilder's escapeValue method, but it only makes the following change: 'ormlite's escape func'. It adds single quotes to beginning and end of the statement. Is there a native support for escaping strings to be sql injection safe?
This is a FAQ. The proper way to do this is to use a SelectArg
argument so the SQL can use a ? type of construct. Here's another question talking about this.
SelectArg selectArg = new SelectArg(stats);TestDao.queryForFirst( TestDao.queryBuilder().where().like("stats", selectArg).prepare());
Here's the documentation on the select-arg functionality.
Edit:
As @Moritz points out, if you are actually updating the database, you can also use the SelectArg
with the UpdateBuilder
:
SelectArg arg = new SelectArg("Some value");updateBuilder.updateColumnValue(MY_COLUMN, arg);