On Fri, 17 Feb 2012 09:18:36 -0200, Lance Java <lance.j...@googlemail.com>
wrote:
Thiago,
Hi, Lance!
please re-read the code... It is using parameters (indexed rather
than named) and cannot be SQL injected.
I'm talking about this:
"where c1.id in (" + questions + ") "
He should use Query.setParameterList() instead.
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
