Thiago, please re-read the code... It is using parameters (indexed rather
than named) and cannot be SQL injected.
On Friday, 17 February 2012, Thiago H. de Paula Figueiredo <
thiag...@gmail.com> wrote:
> On Fri, 17 Feb 2012 03:37:30 -0200, George Christman <
gchrist...@cardaddy.com> wrote:
>
>> I did make further progress with the query, I fixed the count exception
>> with count(c2.id).
>>
>> "select c1.id, count(c2.id) "
>> + "from CATEGORY c1 "
>> + "left join CATEGORY c2 on c2.parentCategoryId = c1.id "
>> + "where c1.id in (" + questions + ") "
>> + "group by c1.id");
>
> This code allows SQL injection attacks. Use Hibernate parameters (which
use JDBC PreparedStatement's) instead, all the time.
>
> Obligatory XKCD: http://xkcd.com/327/
>
> --
> Thiago H. de Paula Figueiredo
> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
> Owner, Ars Machina Tecnologia da Informação Ltda.
> http://www.arsmachina.com.br
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
