Ben Gunter <gunter...@...> writes:
> That's a really bad idea, for several reasons. First and foremost, you open
yourself up to an SQL injection attack whenever you take a value from a request
parameter and embed it directly into a query string without at least sanitizing
it first. (In this particular case, you're protected by the fact that the field
is an int instead of a String. There may also be some additional protection by
using JPA instead of JDBC, but it's still bad practice.) You really should be
using named or positional parameters in your query, like so:
> Stripersist.getEntityManager() .createQuery("from Item where id
= :id") .setParameter("id", id) .getSingleResult()
Ben -- Thanks so much for this great feedback. I was just looking through some
old posts and saw your reply and have updated my code based on your
suggestion. Please see below...
> Secondly, when looking up an entity by its ID using JPA, you should use
EntityManager.find(..) to do so.
> Stripersist.getEntityManager().find(Item.class, id)
>
> And finally, you don't have to do any of this at all because Stripersist will
handle it for you if you set things up correctly. Declare your Item as a field
of your ActionBean (with getter and setter), pass in a parameter with the same
name as the Item property and the Item will magically appear, thanks to
Stripersist's TypeConverter.
> private Item item;public Item getItem() { return item; }public void setItem
(Item item) { this.item = item; } <at> DefaultHandlerpublic Resolution view()
{ // No need to do anything. The item is already there!}
>
> If you pass in a request parameter item=123 then the Item entity with ID 123
will be there when your handler executes.-Ben
This is super intriguing, but this part has me stumped! This is what my action
now looks like per your comments above:
public class ItemDetailActionBean extends BaseActionBean {
private final static String VIEW = "/WEB-INF/jsp/item_detail.jsp";
...
private Item item;
private int id; // this is passed in from the JSP
@DefaultHandler
public Resolution view() {
logger.debug("*** in view()");
logger.debug("*** id: " + id);
// commented this out per your suggestion
/*
item = (Item)Stripersist.getEntityManager()
.createQuery("FROM Item WHERE id = :id")
.setParameter("id", id)
.getSingleResult();
*/
return new ForwardResolution(VIEW);
}
...
public Item getItem() {
return item;
}
public void setItem(Item item) {
this.item = item;
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
}
However, when I try to pull out any of the item details within the JSP, I get
nothing! Here's my JSP:
...
<c:if test="${not empty actionBean.item}">
date: <fmt:formatDate type="date" dateStyle="full"
value="${actionBean.item.dateFound}"/><br/>
name: ${actionBean.item.name}<br/>
description: ${actionBean.item.desc}<br/>
</c:if>
The URL that gets called to kick of this action beam (w/ the param) looks like
this:
http://localhost:8080/app/ItemDetail.action?id=10
What am I doing wrong that I can keep my view empty, and not tell it how/where
to go to the DB to get the ID I'm looking for, and still get back what I need?
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Stripes-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-users
