> I'm talking about this:
>
> "where c1.id in (" + questions + ") "
I'm hoping you realise that questions is just a comma separated string of
question marks eg "?, ?, ?" so it's SQL injection safe.
>
> He should use Query.setParameterList() instead.
Cool, I didn't know about this. I'm assuming hibernate generates the "?, ?,
?" under-the-hood to achieve this. I'm thinking that this might be (ever so
slightly) slower than using setLong() for each as it would either be doing
a potentially ambiguous setObject() under the hood or would be doing lots
of instance of's to determine the parameter type. It would be nicer if
hibernate had a method setLongs(String name, long[] values).
On Friday, 17 February 2012, Thiago H. de Paula Figueiredo <
thiag...@gmail.com> wrote:
> On Fri, 17 Feb 2012 09:18:36 -0200, Lance Java <lance.j...@googlemail.com>
wrote:
>
>> Thiago,
>
> Hi, Lance!
>
>> please re-read the code... It is using parameters (indexed rather
>> than named) and cannot be SQL injected.
>
> I'm talking about this:
>
> "where c1.id in (" + questions + ") "
>
> He should use Query.setParameterList() instead.
>
> --
> Thiago H. de Paula Figueiredo
> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
> Owner, Ars Machina Tecnologia da Informação Ltda.
> http://www.arsmachina.com.br
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
