On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote: > We do and users should, but there is a function which allows script authors > to construct queries for document names > so they are allowed to finish an HQL query. If the script author is malicious > or if they don't properly use > prepared statements then SQL can be injected into the HQL. > see XWiki.searchDocuments > http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xwiki/api/XWiki.html#searchDocuments%28java.lang.String%29
Actually Gregor might be right and we could decide to deprecate this method and recommend to use one which would take a varargs list of parameters, wdyt? Thanks -Vincent > > I hope this clears up exactly what the issue is. > > Caleb > > > Gregor Schneider wrote: >> Very simple question: >> >> Instead of manually playing cats & dogs (i.e. escaping backslashes) - >> why don't you just use PreparedStatements? >> >> Just a thought... >> >> Rgds >> >> Gregor _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
