cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Kienenberger <mkien...@gmail.com>
Subject Re: Dynamic SQL object query
Date Mon, 15 Nov 2010 12:43:20 GMT
Another important distinction is that the former will prevent SQL
injection attacks, while the latter can make such attacks possible.

http://en.wikipedia.org/wiki/SQL_injection

On Sun, Nov 14, 2010 at 2:06 PM, Andrus Adamchik <andrus@objectstyle.org> wrote:
>
> On Nov 13, 2010, at 12:40 AM, Marek Ĺ abo wrote:
>
>
>> SELECT #result('COUNT(id)' 'Long' 'count')
>> from User #chain('AND' 'WHERE') #chunk($userId) id = #bind($userId) #end #chunk($userName)
userInfo.name LIKE $userName #end #end
>
>> becuase of "userInfo.name" which is object-style. So my first question is whether
there is a way of accomplishing this with EJBQL so I don't have to work with joins there.
>
>
> Yeah, something like this should work:
>
> SELECT COUNT(a) FROM User a WHERE a.id = :userId AND a.userInfo.name like :userName
>
>> Second, what is the difference between #bind($a) and just $a. Both works and I suppose
it's close to similar.
>
> The former results in a JDBC parameter inclusion and a call to PreparedStatement.setXYZ(a),
the later is embedded in the SQL as a String. So the former let's JDBC driver to do the right
type conversions and is a recommended way to insert *parameter* objects in the query. The
later form can be used to dynamically build parts of SQL query that are not parameters. It
will work for some parameters as well (e.g. Strings), but won't work for others (e.g. Date).
>
> Andrus

Mime
View raw message