* Any data that will be put in an SQL query should * be be escaped. This is especially important for data * that comes from untrusted sources such as Internet users. *
* For example if you had the following SQL query:
* "SELECT * FROM addresses WHERE name='" + name + "' AND private='N'"
* Without this function a user could give " OR 1=1 OR ''='"
* as their name causing the query to be:
* "SELECT * FROM addresses WHERE name='' OR 1=1 OR ''='' AND private='N'"
* which will give all addresses, including private ones.
* Correct usage would be:
* "SELECT * FROM addresses WHERE name='" + StringHelper.escapeSQL(name) + "' AND private='N'"
*
* Another way to avoid this problem is to use a PreparedStatement
* with appropriate placeholders.
*
* @param s String to be escaped
* @return escaped String
* @throws NullPointerException if s is null.
*
* @since ostermillerutils 1.00.00
*/
public static String escapeSQL(String s){
int length = s.length();
int newLength = length;
// first check for characters that might
// be dangerous and calculate a length
// of the string that has escapes.
for (int i=0; i