编写语句,hibernate和HQL [英] Prepared statements, hibernate and HQL
本文介绍了编写语句,hibernate和HQL的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
例子:
公开名单<学生> loadAllStudentsByStatus(String status){
String queryString =FROM Student student WHERE student.status =+ status;
查询queryObject = currentSession()。createQuery(queryString);
返回queryObject.list();
}
状态将被解析并用作SQL中的参数,或者它是作为内联参数发送的。
我的理由背后是最佳实践和重复调用的查询性能
解决方案
它被内联发送。当 status 是一个客户端控制的值时,您肯定不希望这样做。
而不是参数化它:
return currentSession()
.createQuery(FROM Student student WHERE student.status =:status)
.setParameter(状态,状态)
.list();
另请参阅:
Hibernate internally uses PreparedStatements under JDBC when converting HQL to SQL. How are inline parameters within an HQL handled ?
example:
public List<Student> loadAllStudentsByStatus(String status) {
String queryString = "FROM Student student WHERE student.status = " + status;
Query queryObject = currentSession().createQuery(queryString);
return queryObject.list();
}
Will status be "parsed" and used as a parameter in SQL, or does it get sent as an inline parameter.
My reason behind the argument is "best practices", and query performance for repetitive calls
解决方案
It gets sent inline. You definitely don't want to do this when status is a client-controlled value.
Rather parameterize it:
return currentSession()
.createQuery("FROM Student student WHERE student.status = :status")
.setParameter("status", status)
.list();
See also:
这篇关于编写语句,hibernate和HQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
