Another important distinction is that the former will prevent SQL
injection attacks, while the latter can make such attacks possible.
http://en.wikipedia.org/wiki/SQL_injection
On Sun, Nov 14, 2010 at 2:06 PM, Andrus Adamchik <andru..bjectstyle.org> wrote:
>
> On Nov 13, 2010, at 12:40 AM, Marek Šabo wrote:
>
>
>> SELECT #result('COUNT(id)' 'Long' 'count')
>> from User #chain('AND' 'WHERE') #chunk($userId) id = #bind($userId) #end #chunk($userName) userInfo.name LIKE $userName #end #end
>
>> becuase of "userInfo.name" which is object-style. So my first question is whether there is a way of accomplishing this with EJBQL so I don't have to work with joins there.
>
>
> Yeah, something like this should work:
>
> SELECT COUNT(a) FROM User a WHERE a.id = :userId AND a.userInfo.name like :userName
>
>> Second, what is the difference between #bind($a) and just $a. Both works and I suppose it's close to similar.
>
> The former results in a JDBC parameter inclusion and a call to PreparedStatement.setXYZ(a), the later is embedded in the SQL as a String. So the former let's JDBC driver to do the right type conversions and is a recommended way to insert *parameter* objects in the query. The later form can be used to dynamically build parts of SQL query that are not parameters. It will work for some parameters as well (e.g. Strings), but won't work for others (e.g. Date).
>
> Andrus
This archive was generated by hypermail 2.0.0 : Mon Nov 15 2010 - 12:44:14 UTC