Cheap Java Services With Tomcat, Jsp, Php, Mysql, J2Ee, Servlet, Struts & Hibernate Hosting Support and Coldfusion Web Hosting

Creating and running queries As you can see, the original queryString is no longer a simple search for a string but also executes a stored procedure in the database! The quote characters aren t escaped; hence the call to the stored procedure is another valid expression in the query. If you write a query like this, you open up a major security hole in your application by allowing the execution of arbitrary code on your database. This is known as an SQL injection security issue. Never pass unchecked values from user input to the database! Fortunately, a simple mechanism prevents this mistake. The JDBC driver includes functionality for safely binding values to SQL parameters. It knows exactly what characters in the parameter value to escape, so that the previous vulnerability doesn t exist. For example, the quote characters in the given search are escaped and are no longer treated as control characters but as a part of the search string value. Furthermore, when you use parameters, the database is able to efficiently cache precompiled prepared statements, improving performance significantly. There are two approaches to parameter binding: using positional or using named parameters. Hibernate and Java Persistence support both options, but you can t use both at the same time for a particular query. With named parameters, you can rewrite the query as String queryString = “from Item item where item.description like :search”; The colon followed by a parameter name indicates a named parameter. Then, bind a value to the search parameter: Query q = session.createQuery(queryString) .setString(”search”, searchString); Because searchString is a user-supplied string variable, you call the setString() method of the Query interface to bind it to the named parameter (:search). This code is cleaner, much safer, and performs better, because a single compiled SQL statement can be reused if only bind parameters change. Often, you ll need multiple parameters: String queryString = “from Item item” + ” where item.description like :search” + ” and item.date > :minDate”; Query q = session.createQuery(queryString) .setString(”search”, searchString) .setDate(”minDate”, mDate); The same query and code looks slightly different in Java Persistence:
If you are looking for affordable and reliable webhost to host and run your business application visit our ftp web hosting services.

This entry was posted on Sunday, March 30th, 2008 at 10:07 pm and is filed under j2ee. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.