In a previous post John pointed out that App Engine is subject to attacks like "SQL injection". He recommended to use parametrized query instead of concatenating strings to build the query. I think he is right. Perhaps I missed some points but the docuementation does not point it out. http://code.google.com/appengine/docs/java/datastore/queriesandindexes.html A suggestion to Google guys: add a clear warning on documentation about using "concatenated" queries and remove "concatenated" examples (or make it clear to not use them on real apps).
IMHO :) Fabrizio On Sat, Dec 25, 2010 at 6:42 PM, John <jwb...@gmail.com> wrote: > Really, it's important to use parameterized queries. Looking at this style > of code causes me to assume the app will be subject to attack in the > 'SQL'-injection style. (Acknowledging that what would be injected would have > to be something other than SQL.) -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-j...@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.