http://www.jexp.ru/index.php?action=history&feed=atom&title=Java%2FDatabase_SQL_JDBC%2FSQL_BuilderJava/Database SQL JDBC/SQL Builder - История изменений2026-04-21T12:06:11ZИстория изменений этой страницы в викиMediaWiki 1.30.0http://www.jexp.ru/index.php?title=Java/Database_SQL_JDBC/SQL_Builder&diff=6933&oldid=prevAdmin: 1 версия2010-06-01T06:34:13Z<p>1 версия</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<tr style="vertical-align: top;" lang="ru">
<td colspan="1" style="background-color: white; color:black; text-align: center;">← Предыдущая</td>
<td colspan="1" style="background-color: white; color:black; text-align: center;">Версия 06:34, 1 июня 2010</td>
</tr><tr><td colspan="2" style="text-align: center;" lang="ru"><div class="mw-diff-empty">(нет различий)</div>
</td></tr></table>Adminhttp://www.jexp.ru/index.php?title=Java/Database_SQL_JDBC/SQL_Builder&diff=6932&oldid=prev в 18:01, 31 мая 20102010-05-31T18:01:44Z<p></p>
<p><b>Новая страница</b></p><div>== Escape SQL ==<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<!-- start source code --><br />
<br />
<source lang="java"><br />
<br />
/*<br />
* Static String formatting and query routines.<br />
* Copyright (C) 2001-2005 Stephen Ostermiller<br />
* http://ostermiller.org/contact.pl?regarding=Java+Utilities<br />
*<br />
* This program is free software; you can redistribute it and/or modify<br />
* it under the terms of the GNU General Public License as published by<br />
* the Free Software Foundation; either version 2 of the License, or<br />
* (at your option) any later version.<br />
*<br />
* This program is distributed in the hope that it will be useful,<br />
* but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
* GNU General Public License for more details.<br />
*<br />
* See COPYING.TXT for details.<br />
*/<br />
<br />
import java.util.HashMap;<br />
import java.util.regex.Pattern;<br />
/**<br />
* Utilities for String formatting, manipulation, and queries.<br />
* More information about this class is available from .<br />
*<br />
* @author Stephen Ostermiller http://ostermiller.org/contact.pl?regarding=Java+Utilities<br />
* @since ostermillerutils 1.00.00<br />
*/<br />
public class StringHelper {<br />
/**<br />
* Replaces characters that may be confused by an SQL<br />
* parser with their equivalent escape characters.<br />
* <p><br />
* Any data that will be put in an SQL query should<br />
* be be escaped. This is especially important for data<br />
* that comes from untrusted sources such as Internet users.<br />
* <p><br />
* For example if you had the following SQL query:<br><br />
* <code>"SELECT * FROM addresses WHERE name="" + name + "" AND private="N""</code><br><br />
* Without this function a user could give <code>" OR 1=1 OR ""=""</code><br />
* as their name causing the query to be:<br><br />
* <code>"SELECT * FROM addresses WHERE name="" OR 1=1 OR ""="" AND private="N""</code><br><br />
* which will give all addresses, including private ones.<br><br />
* Correct usage would be:<br><br />
* <code>"SELECT * FROM addresses WHERE name="" + StringHelper.escapeSQL(name) + "" AND private="N""</code><br><br />
* <p><br />
* Another way to avoid this problem is to use a PreparedStatement<br />
* with appropriate placeholders.<br />
*<br />
* @param s String to be escaped<br />
* @return escaped String<br />
* @throws NullPointerException if s is null.<br />
*<br />
* @since ostermillerutils 1.00.00<br />
*/<br />
public static String escapeSQL(String s){<br />
int length = s.length();<br />
int newLength = length;<br />
// first check for characters that might<br />
// be dangerous and calculate a length<br />
// of the string that has escapes.<br />
for (int i=0; i<length; i++){<br />
char c = s.charAt(i);<br />
switch(c){<br />
case "\\":<br />
case "\"":<br />
case "\"":<br />
case "\0":{<br />
newLength += 1;<br />
} break;<br />
}<br />
}<br />
if (length == newLength){<br />
// nothing to escape in the string<br />
return s;<br />
}<br />
StringBuffer sb = new StringBuffer(newLength);<br />
for (int i=0; i<length; i++){<br />
char c = s.charAt(i);<br />
switch(c){<br />
case "\\":{<br />
sb.append("\\\\");<br />
} break;<br />
case "\"":{<br />
sb.append("\\\"");<br />
} break;<br />
case "\"":{<br />
sb.append("\\\"");<br />
} break;<br />
case "\0":{<br />
sb.append("\\0");<br />
} break;<br />
default: {<br />
sb.append(c);<br />
}<br />
}<br />
}<br />
return sb.toString();<br />
}<br />
}<br />
<br />
</source><br />
<br />
<br />
<!-- end source code --><br />
<br />
<br />
<br />
<br />
<br />
== SQL Builder ==<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<!-- start source code --><br />
<br />
<source lang="java"><br />
<br />
import java.util.HashMap;<br />
import java.util.Iterator;<br />
import java.util.Map;<br />
public class BuilderMain {<br />
public static void main(String[] args) {<br />
InsertBuilder builder = new InsertBuilder();<br />
builder.setTable("employees");<br />
builder.addColumnAndData("employee_id", new Integer(221));<br />
builder.addColumnAndData("first_name", ""Shane"");<br />
builder.addColumnAndData("last_name", ""Grinnell"");<br />
builder.addColumnAndData("email", ""al@yahoo.ru"");<br />
String sql = SQLDirector.buildSQL(builder);<br />
System.out.println(sql);<br />
}<br />
}<br />
class SQLDirector {<br />
public static String buildSQL(SQLBuilder builder) {<br />
StringBuffer buffer = new StringBuffer();<br />
buffer.append(builder.getCommand());<br />
buffer.append(builder.getTable());<br />
buffer.append(builder.getWhat());<br />
buffer.append(builder.getCriteria());<br />
return buffer.toString();<br />
}<br />
}<br />
abstract class SQLBuilder {<br />
/**<br />
* Gets the command attribute of the SQLBuilder object<br />
* <br />
* @return The command value or what type of Builder this is. This will return<br />
* a SQL command.<br />
* @since<br />
*/<br />
public abstract String getCommand();<br />
/**<br />
* Gets the table attribute of the SQLBuilder object<br />
* <br />
* @return The table name value<br />
* @since<br />
*/<br />
public abstract String getTable();<br />
/**<br />
* Gets the what value of the SQLBuilder object. This attribute will differ<br />
* based on what type of object we are using. This could be a list of columns<br />
* and data.<br />
* <br />
* @return The what value<br />
* @since<br />
*/<br />
public abstract String getWhat();<br />
/**<br />
* Gets the criteria attribute of the SQLBuilder object<br />
* <br />
* @return The criteria value<br />
* @since<br />
*/<br />
public abstract String getCriteria();<br />
}<br />
class InsertBuilder extends SQLBuilder {<br />
private String table;<br />
private Map columnsAndData = new HashMap();<br />
private String criteria;<br />
/**<br />
* Sets the table attribute of the InsertBuilder object<br />
* <br />
* @param table<br />
* The new table value<br />
* @since<br />
*/<br />
public void setTable(String table) {<br />
this.table = table;<br />
}<br />
/**<br />
* Gets the command attribute of the InsertBuilder object<br />
* <br />
* @return The command value<br />
* @since<br />
*/<br />
public String getCommand() {<br />
return "INSERT INTO ";<br />
}<br />
/**<br />
* Gets the table attribute of the InsertBuilder object<br />
* <br />
* @return The table value<br />
* @since<br />
*/<br />
public String getTable() {<br />
return table;<br />
}<br />
/**<br />
* Gets the what attribute of the InsertBuilder object<br />
* <br />
* @return The what value<br />
* @since<br />
*/<br />
public String getWhat() {<br />
StringBuffer columns = new StringBuffer();<br />
StringBuffer values = new StringBuffer();<br />
StringBuffer what = new StringBuffer();<br />
String columnName = null;<br />
Iterator iter = columnsAndData.keySet().iterator();<br />
while (iter.hasNext()) {<br />
columnName = (String) iter.next();<br />
columns.append(columnName);<br />
values.append(columnsAndData.get(columnName));<br />
if (iter.hasNext()) {<br />
columns.append(",");<br />
values.append(",");<br />
}<br />
}<br />
what.append(" (");<br />
what.append(columns);<br />
what.append(") VALUES (");<br />
what.append(values);<br />
what.append(") ");<br />
return what.toString();<br />
}<br />
/**<br />
* Gets the criteria attribute of the InsertBuilder object<br />
* <br />
* @return The criteria value<br />
* @since<br />
*/<br />
public String getCriteria() {<br />
return "";<br />
}<br />
/**<br />
* Adds a feature to the ColumnAndData attribute of the InsertBuilder object<br />
* <br />
* @param columnName<br />
* The feature to be added to the ColumnAndData attribute<br />
* @param value<br />
* The feature to be added to the ColumnAndData attribute<br />
* @since<br />
*/<br />
public void addColumnAndData(String columnName, Object value) {<br />
if (value != null) {<br />
columnsAndData.put(columnName, value);<br />
}<br />
}<br />
}<br />
<br />
<br />
<br />
</source><br />
<br />
<br />
<!-- end source code --></div>