On Mar 14, 2009, at 10:14 AM, Ben Gunter wrote: > If you mean named queries using @NamedQuery and @NamedNativeQuery, > then yes. With those, you'll call setParameter(..) and it will be > issued to the database as a prepared statement. You should be safe > doing that.
It's very simple. If you're using Statement.setInt(), setString, etc., i.e. "bind" parameters, SQL injection is a non-issue. If you don't, then you take your fate in to your own hands. MOST Java folks (IME) use binds, which is why it's simply less of an issue culturally than in, say, PHP. Regards, Will Hartung ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users