[JIRA] Updated: (NXP-571) Change the query(String query) method signature to handle escaping natively

[Thierry Delprat (JIRA NUXEO)]

Issue (View Online) Key: NXP-571 Issue Type: Improvement Status: In Progress Priority: Major Assignee: Georges Racinet Reporter: Olivier Grisel Operations View all View comments View history Change the query(String query) method signature to handle escaping natively  Updated: 14/05/07 02:03   Created: 07/02/07 19:45   The following issue has been updated. Updater: Thierry Delprat Date: 14/05/07 02:03 Field Original Value New Value Change By Thierry Delprat on 14/05/07 02:03 Fix Version/s 5.1 M3 Fix Version/s 5.1 M4 Project: Nuxeo Enterprise Platform 5 Components: Query / Search Affects Versions: 5.1 M2 Fix Versions: 5.1 M4  Description    Currently client components find documents by forging a string query such as:    String myQuery = "SELECT * FROM document WHERE prefix1:field1 = 'value1' AND prefix2:field2 = 'value2'" and then feeding it to:    documentManager.query(myQuery) Which is bad since it's up to the client code to implement NXQL escaping (security protection against NXQL injection). So the new API instead accept:   String myQuery = "SELECT * FROM document WHERE prefix1:field1 = ? AND prefix2:field2 = ?"   Object[] params = new {"value1", "value2"};   documentManager.query(myQuery, params); and the NXQL escaping should be handled by the server as this is done with the PreparedStatement class of JDBC for instance. This message was automatically generated by Atlassian JIRA Enterprise Edition, Version: 3.7.2-186 - Bug/feature request. If you think it was sent incorrectly, contact one of this server's administrators.

_______________________________________________
ECM-tickets mailing list
ECM-tickets@lists.nuxeo.com
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets