jdbc PreparedStatement 防止sql注入的关键代码片段

mysql-connector-java-5.1.38.jar

PreparedStatement 的 setString(int parameterIndex, String x) 方法

for (int i = 0; i < stringLength; ++i) {
    char c = x.charAt(i);

    switch (c) {
        case 0: /* Must be escaped for 'mysql' */
            buf.append('\\');
            buf.append('0');

            break;

        case '\n': /* Must be escaped for logs */
            buf.append('\\');
            buf.append('n');

            break;

        case '\r':
            buf.append('\\');
            buf.append('r');

            break;

        case '\\':
            buf.append('\\');
            buf.append('\\');

            break;

        case '\'':
            buf.append('\\');
            buf.append('\'');

            break;

        case '"': /* Better safe than sorry */
            if (this.usingAnsiMode) {
                buf.append('\\');
            }

            buf.append('"');

            break;

        case '\032': /* This gives problems on Win32 */
            buf.append('\\');
            buf.append('Z');

            break;

        case '\u00a5':
        case '\u20a9':
            // escape characters interpreted as backslash by mysql
            if (this.charsetEncoder != null) {
                CharBuffer cbuf = CharBuffer.allocate(1);
                ByteBuffer bbuf = ByteBuffer.allocate(1);
                cbuf.put(c);
                cbuf.position(0);
                this.charsetEncoder.encode(cbuf, bbuf, true);
                if (bbuf.get(0) == '\\') {
                    buf.append('\\');
                }
            }
            // fall through

        default:
            buf.append(c);
    }
}