Prepared statements, hibernate and HQL

Question

Hibernate internally uses PreparedStatements under JDBC when converting HQL to SQL. How are inline parameters within an HQL handled ?

example:

  public L         


        

Answer 1

It gets sent inline. You definitely don't want to do this when status is a client-controlled value.

Rather parameterize it:

return currentSession()
    .createQuery("FROM Student student WHERE student.status = :status")
    .setParameter("status", status)
    .list();

See also:

• OWASP - Hibernate