Right, you need to make sure quotes are escaped. I didn't find any existing statement preparation libraries for XPath, but see http://www.nabble.com/Quote-escaping-in-jcr%3Acontains-searchexp-tf2287760.html#a6392098
Joshua >You are missing the convenience of the PreparedStatement... you will >have to do your own data validation. > >Ottinger, Joseph wrote: >> I was playing around with JCR's query facility and realised something a >> little scary. Perhaps I'm just ignorant, but... hey, that's > why I email the list, right? >> >> When I build SQL queries, I do something like this: "select * from >> nt:unstructured where foo='"+bar+"'"; >> >> Oh, wait. If I was actually using JDBC, I'd *never* do this, because some >> fool out there will try to set bar to something that will > return more than I want it to return. To wit: bar might equal "a' or 1=1" and > lo, every node will be returned. Application error at >best, exposure of sensitive data at worst. >> >> Then I thought, well, hey, I have XPath, right? But in XPath, I can >> construct a query the same way. Hello, security hole. >> >> Am I missing something? >> >>
