escape<R extends SqlType> static method

String escape<R extends SqlType>(
  1. String input
)

Escapes special characters in strings to prevent SQL injection.

Currently escapes double quotes and single quotes by adding backslashes.

input The string to escape.

Returns the escaped string safe for SQL queries.

Note: This method is marked for improvement (@TODO).

Example:

QVar.escape("Hello 'World'"); // "Hello \\'World\\'"
QVar.escape('Say "Hi"'); // "Say \\"Hi\\""

Implementation

// @TODO improve this method
static String escape<R extends SqlType>(String input) {
  if (SqlType.isSqlite<R>()) {
    input = input.replaceAll("'", "''");
  } else {
    input = input.replaceAll('"', '\\"');
    input = input.replaceAll("'", "\\'");
  }
  return input;
}