String searchSQLFilter(String keyword){
for(String filter:new String[]{"|","&","*","%",";","-","+",",","<",">"}){
keyword=keyword.replaceAll("\\Q"+filter+"\\E", "");
}
keyword=keyword.replaceAll("'","\\\\'");
return keyword;
}
SQL查询:检查我的SQL查询过滤器的方法,这是安全的吗?
select * from table where title like '%"+searchSQLFilter(keyword)+"%'
我想知道,searchSQLFilter
方法是安全的?
顺便说一句:我知道这是不好的,使用PreparedStatement
更好
我想问你为什么要做自己的过滤? –