Ah, just saw in the javadoc you can provide a type parameter to
setParameterList(). This is getting OT
Cheers,
Lance
On Friday, 17 February 2012, Lance Java <lance.j...@googlemail.com> wrote:
>> I'm talking about this:
>>
>> "where c1.id in (" + questions + ") "
> I'm hoping you realise that questions is just a comma separated string of
question marks eg "?, ?, ?" so it's SQL injection safe.
>
>>
>> He should use Query.setParameterList() instead.
> Cool, I didn't know about this. I'm assuming hibernate generates the "?,
?, ?" under-the-hood to achieve this. I'm thinking that this might be (ever
so slightly) slower than using setLong() for each as it would either be
doing a potentially ambiguous setObject() under the hood or would be doing
lots of instance of's to determine the parameter type. It would be nicer if
hibernate had a method setLongs(String name, long[] values).
>
> On Friday, 17 February 2012, Thiago H. de Paula Figueiredo <
thiag...@gmail.com> wrote:
>> On Fri, 17 Feb 2012 09:18:36 -0200, Lance Java <lance.j...@googlemail.com>
wrote:
>>
>>> Thiago,
>>
>> Hi, Lance!
>>
>>> please re-read the code... It is using parameters (indexed rather
>>> than named) and cannot be SQL injected.
>>
>> I'm talking about this:
>>
>> "where c1.id in (" + questions + ") "
>>
>> He should use Query.setParameterList() instead.
>>
>> --
>> Thiago H. de Paula Figueiredo
>> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
>> Owner, Ars Machina Tecnologia da Informação Ltda.
>> http://www.arsmachina.com.br
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>
>>
