Return-Path: Delivered-To: apmail-cayenne-user-archive@www.apache.org Received: (qmail 7727 invoked from network); 15 Nov 2010 12:43:40 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 15 Nov 2010 12:43:40 -0000 Received: (qmail 47213 invoked by uid 500); 15 Nov 2010 12:44:11 -0000 Delivered-To: apmail-cayenne-user-archive@cayenne.apache.org Received: (qmail 46977 invoked by uid 500); 15 Nov 2010 12:44:09 -0000 Mailing-List: contact user-help@cayenne.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cayenne.apache.org Delivered-To: mailing list user@cayenne.apache.org Received: (qmail 46969 invoked by uid 99); 15 Nov 2010 12:44:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Nov 2010 12:44:08 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mkienenb@gmail.com designates 74.125.82.171 as permitted sender) Received: from [74.125.82.171] (HELO mail-wy0-f171.google.com) (74.125.82.171) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Nov 2010 12:44:02 +0000 Received: by wyb39 with SMTP id 39so5743604wyb.16 for ; Mon, 15 Nov 2010 04:43:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=2e7ErN7MJI6F+tkubE374geFwXnOvKLz7Gw/L7ekRcQ=; b=UjLSiRoe3CuS8MX2lsVa3Ktll1orlHsJps0rjx115Jacp4cC5880Ubm6Y2jv0SgXYH 8Z/0gUWpmXXZhdVoHma2U5+wHR12SpjvyBMFzNqC+G2uZxDN8locyXzZcqSKVHzeAqY+ nD7yJKZtLhmFRRIyIuCTEQatNe7jOU1MMKNi0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=cLG6NEBH9eIc1j6nkIlcxadzcE5ntj6kEqAxMpWvHOgSR8O5sT1sj/1qmPe+4U9nKe uAIghQqN4oPhJVBFA0ManCWgIioPCmfjL9ha67YfUcERatGK8V7pEE2e1ScRc4/nj1JM tab8VWiKcHJQMI4kde3ey3GqNG+kShY2/rFUk= Received: by 10.216.38.71 with SMTP id z49mr6478705wea.76.1289825020850; Mon, 15 Nov 2010 04:43:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.216.79.72 with HTTP; Mon, 15 Nov 2010 04:43:20 -0800 (PST) In-Reply-To: References: <4CDDC27A.1050505@buk.cvut.cz> From: Mike Kienenberger Date: Mon, 15 Nov 2010 07:43:20 -0500 Message-ID: Subject: Re: Dynamic SQL object query To: user@cayenne.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Another important distinction is that the former will prevent SQL injection attacks, while the latter can make such attacks possible. http://en.wikipedia.org/wiki/SQL_injection On Sun, Nov 14, 2010 at 2:06 PM, Andrus Adamchik w= rote: > > On Nov 13, 2010, at 12:40 AM, Marek =C5=A0abo wrote: > > >> SELECT #result('COUNT(id)' 'Long' 'count') >> from User #chain('AND' 'WHERE') #chunk($userId) id =3D #bind($userId) #e= nd #chunk($userName) userInfo.name LIKE $userName #end #end > >> becuase of "userInfo.name" which is object-style. So my first question i= s whether there is a way of accomplishing this with EJBQL so I don't have t= o work with joins there. > > > Yeah, something like this should work: > > SELECT COUNT(a) FROM User a WHERE a.id =3D :userId AND a.userInfo.name li= ke :userName > >> Second, what is the difference between #bind($a) and just $a. Both works= and I suppose it's close to similar. > > The former results in a JDBC parameter inclusion and a call to PreparedSt= atement.setXYZ(a), the later is embedded in the SQL as a String. So the for= mer let's JDBC driver to do the right type conversions and is a recommended= way to insert *parameter* objects in the query. The later form can be used= to dynamically build parts of SQL query that are not parameters. It will w= ork for some parameters as well (e.g. Strings), but won't work for others (= e.g. Date). > > Andrus