[JIRA] Commented: (NXP-571) Change the query(String query) method signature to handle escaping natively

[Georges Racinet (JIRA NUXEO)]

Issue (View Online) Key: NXP-571 Issue Type: Improvement Status: In Progress Priority: Major Assignee: Georges Racinet Reporter: Olivier Grisel Operations View all View comments View history Change the query(String query) method signature to handle escaping natively  Updated: 25/06/07 11:09   Created: 07/02/07 19:45   The following comment has been added to this issue: [ Permlink ] Author: Georges Racinet Date: 25/06/07 11:09 Comment: One could argue that stateless QMs actually provide the same functionality. Project: Nuxeo Enterprise Platform 5 Components: Query / Search Affects Versions: 5.1 M2 Fix Versions: 5.2 M1  Description    Currently client components find documents by forging a string query such as:    String myQuery = "SELECT * FROM document WHERE prefix1:field1 = 'value1' AND prefix2:field2 = 'value2'" and then feeding it to:    documentManager.query(myQuery) Which is bad since it's up to the client code to implement NXQL escaping (security protection against NXQL injection). So the new API instead accept:   String myQuery = "SELECT * FROM document WHERE prefix1:field1 = ? AND prefix2:field2 = ?"   Object[] params = new {"value1", "value2"};   documentManager.query(myQuery, params); and the NXQL escaping should be handled by the server as this is done with the PreparedStatement class of JDBC for instance. This message was automatically generated by Atlassian JIRA Enterprise Edition, Version: 3.7.2-186 - Bug/feature request. If you think it was sent incorrectly, contact one of this server's administrators.

_______________________________________________
ECM-tickets mailing list
ECM-tickets@lists.nuxeo.com
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets