6 Replies Latest reply on Feb 26, 2009 6:52 PM by Tomasz Wilczynski

    SQL injection with getEjbql?

    Ido Tamir Newbie

      I am using a RESTFul approach and I am rendering a view based on parameters with a subclassed EntityQuery (this works really nice, thanks to SEAM and trinidad, btw). Do I have to fear or how do I prevent an SQL injection attack.

      I guess with an userID (integer) I would be on the safe side, but it would not look as nice.

      public class BetList extends EntityQuery<Bet> implements IBetList {
           private String userName;
           public String getEjbql() {
                String query = "select bet from Bet bet where bet.user.userName = " + "\'" + userName + "\'";
                return query;
           public Integer getMaxResults() {
                return 10;
           public String getUserName() {
                return userName;
           public void setUserName(String userName) {
                this.userName = userName;


      <page view-id="/betList.xhtml">
                 <param name="userName" value="#{betsListForUser.userName}"/>