String searchSQLFilter(String keyword){
for(String filter:new String[]{"|","&","*","%",";","-","+",",","<",">"}){
keyword=keyword.replaceAll("\\Q"+filter+"\\E", "");
}
keyword=keyword.replaceAll("'","\\\\'");
return keyword;
}
SQL查詢:檢查我的SQL查詢過濾器的方法,這是安全的嗎?
select * from table where title like '%"+searchSQLFilter(keyword)+"%'
我想知道,searchSQLFilter
方法是安全的?
順便說一句:我知道這是不好的,使用PreparedStatement
更好
我想問你爲什麼要做自己的過濾? –