On 14-03-2009 at 01:36, Ben Gunter wrote: > That's a really bad idea, for several reasons. First and foremost, you open > yourself up to an SQL injection attack whenever you take a value from a > request parameter and embed it directly into a query string without at least > sanitizing it first.
While true if you construct the query yourself, this is not the case for parameters in prepared statements. IIRC, JPA queries in the annotations are. Am I mistaken? Oscar -- ,-_ Oscar Westra van holthe - Kind http://www.xs4all.nl/~kindop/ /() ) (__ ( Progress is made by lazy men looking for easier ways to do things. =/ () -- Robert Heinlein ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
