-
1. Re: SQL injection with getEjbql?
svadu May 26, 2008 10:50 PM (in response to ido_tamir)Why don't you use restrictions for this case?
-
2. Re: SQL injection with getEjbql?
juanse1987 Feb 25, 2009 5:35 PM (in response to ido_tamir)public String getEjbql() {
String query = "select bet from Bet bet where bet.user.userName =?1 or bet.user.userName=?2 ";
query.setParameter(1, userName);
query.setParameter(2, AnotheruserName);
return query;
}The EJB QL defines two indexed parameters for the query: ?1 and ?2. These parameters are set with the Query.setParameter( ) method and the query is executed.
I hope that this works to you!!
See yaa!
-
3. Re: SQL injection with getEjbql?
norman Feb 25, 2009 11:45 PM (in response to ido_tamir)Never ever construct a query like this. Even if you have thought through it and are absolutely certain you aren't vulnerable, it's still a terrible idea. In addition to the style of parameterized query shown here, you can also use EL in the query. Seam will automatically turn this into a proper parameterized query.
-
4. Re: SQL injection with getEjbql?
wilczarz.wilczarz.gmail.com Feb 26, 2009 11:35 AM (in response to ido_tamir)Norman, is it possible to create restriction on enum field with additional option
any
? Search forms with such combos are popular design but don't seem to fit EL-based restrictions. -
5. Re: SQL injection with getEjbql?
norman Feb 26, 2009 5:20 PM (in response to ido_tamir)The EL just creates a parameterized query behind the scenes, so if EJBQL supports parameterization of the part of the query you are interested in, you can use the EL version of it. If EJBQL doesn't support what you want, then Seam can't help.
-
6. Re: SQL injection with getEjbql?
wilczarz.wilczarz.gmail.com Feb 26, 2009 6:52 PM (in response to ido_tamir)I get it - creation of the query comes before the EL resolving. But wouldn't it be useful to have the underlying Query dynamic enough to skip a restriction under some circumstances? E.g. restrictions added as
setRestrictions( ConditionalRestriction( "client.foo = #{foo}", "#{not empty foo}" ), ConditionalRestriction( "client.bar is not null", "#{useBar}" ) )
could be used in query assembly only if second expression resolves to true?
Sorry for the offtopic :)