[
http://jira.nuxeo.org/browse/NXP-571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stéfane Fermigier updated NXP-571:
----------------------------------
Fix Version/s: (was: 5.2 M2)
5.2 M3
> Change the query(String query) method signature to handle escaping natively
> ---------------------------------------------------------------------------
>
> Key: NXP-571
> URL: http://jira.nuxeo.org/browse/NXP-571
> Project: Nuxeo Enterprise Platform
> Issue Type: Improvement
> Components: Query / Search
> Affects Versions: 5.1 M2
> Reporter: Olivier Grisel
> Assignee: Georges Racinet
> Fix For: 5.2 M3
>
>
> Currently client components find documents by forging a string query such as:
> String myQuery = "SELECT * FROM document WHERE prefix1:field1 = 'value1'
> AND prefix2:field2 = 'value2'"
> and then feeding it to:
> documentManager.query(myQuery)
> Which is bad since it's up to the client code to implement NXQL escaping
> (security protection against NXQL injection).
> So the new API instead accept:
> String myQuery = "SELECT * FROM document WHERE prefix1:field1 = ? AND
> prefix2:field2 = ?"
> Object[] params = new {"value1", "value2"};
> documentManager.query(myQuery, params);
> and the NXQL escaping should be handled by the server as this is done with
> the PreparedStatement class of JDBC for instance.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
