-
1. Re: Seam Framework EntityQuery restrictions does not work fo
cptnkirk Apr 17, 2007 11:51 AM (in response to lkw)exception?
-
2. Re: Seam Framework EntityQuery restrictions does not work fo
fernando_jmt Apr 17, 2007 1:57 PM (in response to lkw)Just try:
<fwk:restrictions> <value>lower(firstName) like lower( concat(#{exampleContact.firstName}, '%' ))</value> <value>lower(lastName) like lower(concat( #{exampleContact.lastName}, '%' ))</value> </fwk:restrictions>
That should work in MySQL. -
3. Re: Seam Framework EntityQuery restrictions does not work fo
lkw Apr 17, 2007 11:33 PM (in response to lkw)Thx everyone for the help. The solution provided by fernando_jmt works. Look like the value element in the restrictions is dependent on the underlying DBMS
-
4. Re: Seam Framework EntityQuery restrictions does not work fo
cptnkirk Apr 18, 2007 12:09 AM (in response to lkw)This just seems begging for a SQL injection problem. Be careful when using this feature.
-
5. Re: Seam Framework EntityQuery restrictions does not work fo
matt.drees Apr 18, 2007 1:23 AM (in response to lkw)How so? El expressions get replaced by a parameter, which would cause the input to be escaped correctly, right?
-
6. Re: Seam Framework EntityQuery restrictions does not work fo
cptnkirk Apr 18, 2007 2:48 AM (in response to lkw)If that's correct, then great. I'm wrong and everything is safe. I've been cleaning out a lot of "select ... where name like "+name+"%" from a codebase I inherited. So I may just have been spooked by seeing "#{expression} + %". That said, I don't recall reading anywhere that Seam does what you describe. Seam inlines these EL expressions elsewhere in components.xml.
<component class="com.helloworld.Hello" name="hello"> <property name="name">#{user.name}</property> </component>
-
7. Re: Seam Framework EntityQuery restrictions does not work fo
cptnkirk Apr 18, 2007 3:06 AM (in response to lkw)I guess I'm just expecting the values to be run through Seam's interpolator, which just does a string replace. I don't expect that Seam will generate a prepared statement, replace the EL with bind variables, etc. If it does, more power to Gavin.
-
8. Re: Seam Framework EntityQuery restrictions does not work fo
pmuir Apr 18, 2007 8:25 AM (in response to lkw)AFAICS this is exactly what it does - QueryParser in org.jboss.seam.persistence takes a ejbql which contains EL, , and replaces it with a parameter number, and creates a list of parameter value bindings. Then in EntityQuery query.setParameter is used.
-
9. Re: Seam Framework EntityQuery restrictions does not work fo
matt.drees Apr 18, 2007 10:10 AM (in response to lkw)http://docs.jboss.com/seam/1.2.1.GA/reference/en/html/persistence.html#d0e5563
So this only works if you're using a seam-managed persistence context. If you're not, I'm not sure if you'll get a parse error or an sql injection vulnerability. -
10. Re: Seam Framework EntityQuery restrictions does not work fo
pmuir Apr 18, 2007 10:37 AM (in response to lkw)Err, that link says it works whether you use an SMPC or a plain JPA PC. It also clears up the sql injection question
-
11. Re: Seam Framework EntityQuery restrictions does not work fo
cptnkirk Apr 18, 2007 10:56 AM (in response to lkw)Yep, +1 Seam crew. I should have known better. :)
-
12. Re: Seam Framework EntityQuery restrictions does not work fo
matt.drees Apr 18, 2007 11:25 PM (in response to lkw)Duh, yeah, you're right. Somehow missed the second part of that sentence. Thanks for the correction.