Datanucleus,
perhaps my post was too impetuous. Sorry.
Actually "sql injection" (not real SQL) is a small issue on GAE. You are
right. GAE does not use SQL but you can "inject" piece of query into.
A very simple example:
String name = request.getParameter("name");
String q = "select from Employee where lastName == '" + name + "'";
Query query = pm.newQuery(Employee.class, q);
Case1 (good): send name = smith
Case2 (not good): send name = smith' || lastName == 'foo
OK. It's not so dangerous. Infact you cannot send strong injections like
"smith' || '1'=='1" because the engine (actually) refuse it.
So, you are right. No big problem.
Fabrizio
On Mon, Dec 27, 2010 at 10:29 AM, datanucleus <andy_jeffer...@yahoo.com>wrote:
> SQL injection ? into a database that doesn't support SQL? Please
> present a clear example of how such a thing can happen and what effect
> it can have. The application designer is the person who allows such a
> thing, not the underlying API
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine for Java" group.
> To post to this group, send email to
> google-appengine-j...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengine-java+unsubscr...@googlegroups.com<google-appengine-java%2bunsubscr...@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/google-appengine-java?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine for Java" group.
To post to this group, send email to google-appengine-j...@googlegroups.com.
To unsubscribe from this group, send email to
google-appengine-java+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine-java?hl=en.
