Datanucleus, perhaps my post was too impetuous. Sorry. Actually "sql injection" (not real SQL) is a small issue on GAE. You are right. GAE does not use SQL but you can "inject" piece of query into.
A very simple example: String name = request.getParameter("name"); String q = "select from Employee where lastName == '" + name + "'"; Query query = pm.newQuery(Employee.class, q); Case1 (good): send name = smith Case2 (not good): send name = smith' || lastName == 'foo OK. It's not so dangerous. Infact you cannot send strong injections like "smith' || '1'=='1" because the engine (actually) refuse it. So, you are right. No big problem. Fabrizio On Mon, Dec 27, 2010 at 10:29 AM, datanucleus <andy_jeffer...@yahoo.com>wrote: > SQL injection ? into a database that doesn't support SQL? Please > present a clear example of how such a thing can happen and what effect > it can have. The application designer is the person who allows such a > thing, not the underlying API > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > google-appengine-j...@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine-java+unsubscr...@googlegroups.com<google-appengine-java%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-j...@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.