If that's correct, then great. I'm wrong and everything is safe. I've been
cleaning out a lot of select ... where name like +name+% from a codebase I
inherited. So I may just have been spooked by seeing #{expression} + %.
That said, I don't recall reading anywhere that Seam does what you
I guess I'm just expecting the values to be run through Seam's interpolator,
which just does a string replace. I don't expect that Seam will generate a
prepared statement, replace the EL with bind variables, etc. If it does, more
power to Gavin.
View the original post :
AFAICS this is exactly what it does - QueryParser in org.jboss.seam.persistence
takes a ejbql which contains EL, , and replaces it with a parameter number, and
creates a list of parameter value bindings. Then in EntityQuery
query.setParameter is used.
View the original post :
http://docs.jboss.com/seam/1.2.1.GA/reference/en/html/persistence.html#d0e5563
So this only works if you're using a seam-managed persistence context. If
you're not, I'm not sure if you'll get a parse error or an sql injection
vulnerability.
View the original post :
Err, that link says it works whether you use an SMPC or a plain JPA PC. It
also clears up the sql injection question
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4038442#4038442
Reply to the post :
Yep, +1 Seam crew. I should have known better. :)
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4038452#4038452
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4038452
___
Duh, yeah, you're right. Somehow missed the second part of that sentence.
Thanks for the correction.
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4038697#4038697
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4038697
exception?
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4038020#4038020
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4038020
___
jboss-user mailing list
Just try:
| fwk:restrictions
| valuelower(firstName) like lower(
concat(#{exampleContact.firstName}, '%' ))/value
| valuelower(lastName) like lower(concat(
#{exampleContact.lastName}, '%' ))/value
| /fwk:restrictions
|
That should work in MySQL.
Thx everyone for the help. The solution provided by fernando_jmt works. Look
like the value element in the restrictions is dependent on the underlying DBMS
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4038212#4038212
Reply to the post :
This just seems begging for a SQL injection problem. Be careful when using
this feature.
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4038215#4038215
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4038215
How so? El expressions get replaced by a parameter, which would cause the
input to be escaped correctly, right?
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4038223#4038223
Reply to the post :
12 matches
Mail list logo
