6 Replies Latest reply on Feb 26, 2009 6:52 PM by Tomasz Wilczynski

    SQL injection with getEjbql?

    Ido Tamir Newbie

      Hi,
      I am using a RESTFul approach and I am rendering a view based on parameters with a subclassed EntityQuery (this works really nice, thanks to SEAM and trinidad, btw). Do I have to fear or how do I prevent an SQL injection attack.


      I guess with an userID (integer) I would be on the safe side, but it would not look as nice.



      @Name("betsListForUser")
      public class BetList extends EntityQuery<Bet> implements IBetList {
           private String userName;
      
           public String getEjbql() {
                String query = "select bet from Bet bet where bet.user.userName = " + "\'" + userName + "\'";
                return query;
           }
      
           @Override
           public Integer getMaxResults() {
                return 10;
           }
      
           public String getUserName() {
                return userName;
           }
      
           public void setUserName(String userName) {
                this.userName = userName;
           }
      
      }


         


      <page view-id="/betList.xhtml">
                 <param name="userName" value="#{betsListForUser.userName}"/>
       </page>