Thanks to both of you,
that part regarding SQLI is especially important.
On 11/15/2010 01:43 PM, Mike Kienenberger wrote:
> Another important distinction is that the former will prevent SQL
> injection attacks, while the latter can make such attacks possible.
>
> http://en.wikipedia.org/wiki/SQL_injection
>
> On Sun, Nov 14, 2010 at 2:06 PM, Andrus Adamchik<andru..bjectstyle.org> wrote:
>> On Nov 13, 2010, at 12:40 AM, Marek Šabo wrote:
>>
>>
>>> SELECT #result('COUNT(id)' 'Long' 'count')
>>> from User #chain('AND' 'WHERE') #chunk($userId) id = #bind($userId) #end #chunk($userName) userInfo.name LIKE $userName #end #end
>>> becuase of "userInfo.name" which is object-style. So my first question is whether there is a way of accomplishing this with EJBQL so I don't have to work with joins there.
>>
>> Yeah, something like this should work:
>>
>> SELECT COUNT(a) FROM User a WHERE a.id = :userId AND a.userInfo.name like :userName
>>
>>> Second, what is the difference between #bind($a) and just $a. Both works and I suppose it's close to similar.
>> The former results in a JDBC parameter inclusion and a call to PreparedStatement.setXYZ(a), the later is embedded in the SQL as a String. So the former let's JDBC driver to do the right type conversions and is a recommended way to insert *parameter* objects in the query. The later form can be used to dynamically build parts of SQL query that are not parameters. It will work for some parameters as well (e.g. Strings), but won't work for others (e.g. Date).
>>
>> Andrus
-- Marek Šabo Server Manager Club SU CVUT Buben Bubenečská Kolej (421) XMPP: zeratul02..mail.com
This archive was generated by hypermail 2.0.0 : Mon Nov 15 2010 - 19:13:06 UTC