If you mean named queries using @NamedQuery and @NamedNativeQuery, then yes.
With those, you'll call setParameter(..) and it will be issued to the
database as a prepared statement. You should be safe doing that.
-Ben
On Sat, Mar 14, 2009 at 3:29 AM, Oscar Westra van Holthe - Kind <
[email protected]> wrote:
> On 14-03-2009 at 01:36, Ben Gunter wrote:
> > That's a really bad idea, for several reasons. First and foremost, you
> open
> > yourself up to an SQL injection attack whenever you take a value from a
> > request parameter and embed it directly into a query string without at
> least
> > sanitizing it first.
>
> While true if you construct the query yourself, this is not the case for
> parameters in prepared statements. IIRC, JPA queries in the annotations
> are.
>
> Am I mistaken?
>
>
> Oscar
>
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Stripes-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-users
