3 May
2010
3 May
'10
12:07 p.m.
On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote:
We do and users should, but there is a function which
allows script authors to construct queries for document names
so they are allowed to finish an HQL query. If the script author is malicious or if they
don't properly use
prepared statements then SQL can be injected into the HQL.
see XWiki.searchDocuments
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
Actually Gregor might be right and we could decide to deprecate this method and recommend
to use one which would take a varargs list of parameters, wdyt?
Thanks
-Vincent
I hope this clears up exactly what the issue is.
Caleb
Gregor Schneider wrote:
> Very simple question:
>
> Instead of manually playing cats & dogs (i.e. escaping backslashes) -
> why don't you just use PreparedStatements?
>
> Just a thought...
>
> Rgds
>
> Gregor