问题
Hibernate internally uses PreparedStatements under JDBC when converting HQL to SQL. How are inline parameters within an HQL handled ?
example:
public List<Student> loadAllStudentsByStatus(String status) {
String queryString = "FROM Student student WHERE student.status = " + status;
Query queryObject = currentSession().createQuery(queryString);
return queryObject.list();
}
Will status be "parsed" and used as a parameter in SQL, or does it get sent as an inline parameter.
My reason behind the argument is "best practices", and query performance for repetitive calls
回答1:
It gets sent inline. You definitely don't want to do this when status is a client-controlled value.
Rather parameterize it:
return currentSession()
.createQuery("FROM Student student WHERE student.status = :status")
.setParameter("status", status)
.list();
See also:
- OWASP - Hibernate
来源:https://stackoverflow.com/questions/4340346/prepared-statements-hibernate-and-hql