[JIRA] Commented: (NXP-571) Change the query(String query) method signature to handle escaping natively

Tue, 13 May 2008 22:31:43 -0700 

    [ 
http://jira.nuxeo.org/browse/NXP-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=36228#action_36228
 ] 

jhon book commented on NXP-571:
-------------------------------

http://www.esnips.com/web/Aahuti27
http://www.esnips.com/web/Aailyah60
http://www.esnips.com/web/Aakanksha91
http://www.esnips.com/web/Aakar48
http://www.esnips.com/web/Aakarshan34
http://www.esnips.com/web/Aakash78
http://www.esnips.com/web/Aakav34
http://www.esnips.com/web/Aakesh84
 http://www.esnips.com/web/Aakil34
http://www.esnips.com/web/Aalam36
http://www.esnips.com/web/Aalambi34
http://www.esnips.com/web/Aalap35
http://www.esnips.com/web/Aalapee58
 http://www.esnips.com/web/Aalem37
http://www.esnips.com/web/Aalish61

> Change the query(String query) method signature to handle escaping natively
> ---------------------------------------------------------------------------
>
>                 Key: NXP-571
>                 URL: http://jira.nuxeo.org/browse/NXP-571
>             Project: Nuxeo Enterprise Platform
>          Issue Type: Improvement
>          Components: Query / Search
>    Affects Versions: 5.1 M2
>            Reporter: Olivier Grisel
>            Assignee: Georges Racinet
>             Fix For: 5.2 M2
>
>
> Currently client components find documents by forging a string query such as:
>    String myQuery = "SELECT * FROM document WHERE prefix1:field1 = 'value1' 
> AND prefix2:field2 = 'value2'"
> and then feeding it to: 
>    documentManager.query(myQuery)
> Which is bad since it's up to the client code to implement NXQL escaping 
> (security protection against NXQL injection).
> So the new API instead accept:
>   String myQuery = "SELECT * FROM document WHERE prefix1:field1 = ? AND 
> prefix2:field2 = ?"
>   Object[] params = new {"value1", "value2"};
>   documentManager.query(myQuery, params);
> and the NXQL escaping should be handled by the  server as this is done with 
> the PreparedStatement class of JDBC for instance.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets

Reply via email to