So, for future posterity and to help myself again when I need it... EOEntity entity = EOUtilities.entityForClass(cdw, YourEntity.class); JDBCExpression exp = new JDBCExpression(entity); exp.setUseBindVariables(true); exp.setStatement(sqlStatement);
exp.addBindVariableDictionary(exp.bindVariableDictionaryForAttribute(entity.attributeNamed(YourEntity.UNIQUE_ID_KEY), ID)); exp.addBindVariableDictionary(exp.bindVariableDictionaryForAttribute(entity.attributeNamed(YourEntity.YEAR_KEY), new NSTimestamp(year))); NSArray<NSDictionary> rows = ERXEOAccessUtilities.rawRowsForSQLExpression(cdw, "YourModelName", exp); And now, SQL injection attacks have been avoided and the planet is once again safe! -Mike On Nov 8, 2011, at 2:29 PM, Michael Gargano wrote: Okay, let me come at this one another way because this doesn't seem to be panning out at all. I want to write a complicated SQL query across multiple tables and return a bunch of columns across those tables as an array of dictionaries. I know EOUtilities.rawRowsForSQLExpression will do this, but I want to have the parameters I'm passing into my expression to be parameterized as to prevent SQL injection attacks. Any Ideas? Thanks. -Mike On Nov 8, 2011, at 11:52 AM, Michael Gargano wrote: Hi, Does anyone have any examples of how to use ERXSQLQueryWithBindingsUtilities.runSqlQueryWithBindings? Two questions: 1) It seems like it should support named parameters since ERXKeyValueBinding implements ERXSQLBinding, but I can't figure out how the parameter placeholders should look in the query 2) Since I couldn't figure out 1(above) I was just using ERXObjectBindings and the parameter placeholder '?'. It seems to like this much better but when I pass a date in as a parameter it chokes on postgresql. Anyone ever use this utility method? Much thanks. -Mike _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com<mailto:Webobjects-dev@lists.apple.com>) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/mgargano%40escholar.com This email sent to mgarg...@escholar.com<mailto:mgarg...@escholar.com>
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com