This content has been marked as final.
Show 2 replies
-
1. Re: Value Expressions in EntityQuery's ejbql
nicolas.bielza Jan 7, 2009 4:03 PM (in response to so38)We're facing the same problem. It's worth noting that this new behavior makes EntityQuery vulnerable to SQL injection: The Value Expression is not a parameter of the query, it is resolved and inserted in the query.
-
2. Re: Value Expressions in EntityQuery's ejbql
nicolas.bielza Jan 8, 2009 5:17 PM (in response to so38)This problem only appears when defining EntityQueries in components.xml. When we extend EntityQuery in Java code, using EL in EJBQL works as previously.
So the problem seems to be related to the way in which query components are being instantiated from their XML description.