Hi Marc, speaking of JSR 283... it will also allow you to create prepared queries with variables that you can bind values to.
regards marcel Marc Speck wrote: > Hi Alex > > Thanks for the quick response. > > 1) JCR SQL and XPath are read-only (not DROP table attacks) > > Indeed, that makes it much more secure. > > >> 2) XPath syntax is much more specific, so you cannot easily add >> another statement in an injection > > "cannot easily add" is not very reassuring in a security context ;-) > But taken 1), the worst thing that could happen is that the user gets more > results. Providing ACL in jsr283 is going to work fine, the user has no > access to hidden information. > > >> >> http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?view=markup > > Thanks for that, didn't know. > > Marc >
