Prepared statements, hibernate and HQL

前端 未结 1 1565
天涯浪人
天涯浪人 2021-02-13 22:53

Hibernate internally uses PreparedStatements under JDBC when converting HQL to SQL. How are inline parameters within an HQL handled ?

example:

  public L         


        
1条回答
  •  闹比i
    闹比i (楼主)
    2021-02-13 23:40

    It gets sent inline. You definitely don't want to do this when status is a client-controlled value.

    Rather parameterize it:

    return currentSession()
        .createQuery("FROM Student student WHERE student.status = :status")
        .setParameter("status", status)
        .list();
    

    See also:

    • OWASP - Hibernate

    0 讨论(0)
提交回复
热议问题