[goto] Hibernate prevents SQL injection

Hibernate provides rich support for dynamic query parameter binding, so what is dynamic binding of query parameters? In fact, if we are familiar with the traditional JDBC programming, we will not be difficult to understand the query parameter dynamic binding, the following code traditional JDBC parameter binding:

Preparestatement pre=connection.prepare ("select * from User where user.name=?");
Pre.setstring (1, "zhaoxin");
ResultSet Rs=pre.executequery ();

This is also provided in hibernate in the query parameter binding function, and in Hibernate for this feature also provides more than the traditional JDBC operation Rich features, in hibernate there are 4 kinds of parameter binding method, the following we will describe separately:

1. Binding by parameter name:

define named parameters in the HQL statement to begin with ":" In the following form:  
Query query=session.createquery ("From user user where User.name=:customername and user:customerage=:age");
Query.setstring ("CustomerName", name);
Query.setinteger ("Customerage", age);

In the code above: CustomerName and: customerage define named Parameters CustomerName and Customerage respectively, and then use the Setxxx () method of the query interface to set the name parameter value, the Setxxx () method contains two parameters , which are named parameter names and the actual values of named parameters, respectively.

2, according to the parameters of the location of the state:

query query=session.createquery ("from user user where User.name=? and User.age =? ");  
query.setinteger (1,age);  



note: In real development, the use of name-state naming parameters is advocated, because this not only provides very good program readability, but also improves the ease of maintenance of the program. Because when the position of the query parameter changes, it is not necessary to adjust the program code in the way that the name state parameter is named.  

3, Setparameter () method:  

In Hibernate's HQL query, you can use the Setparameter () method to state any type of parameter, as follows:
String hql= "from user user where user.name=:customername";
Query query=session.createquery (HQL);
Query.setparameter ("CustomerName", name,hibernate.string);

As shown in the preceding code, the Setparameter () method contains three parameters, namely named parameter names, named parameter actuals, and named parameter mapping types. For some parameter types, the Setparameter () method can have a Java type with more parameter values, guess the corresponding mapping type, so there is no need to display the mapping type at this point, as the above example can write directly:

Query.setparameter ("CustomerName", name), but for some types it is necessary to specify the mapping type, such as the java.util.Date type, because it corresponds to many of Hibernate's mapping types, such as Hibernate.data or Hibernate.timestamp.

4, SetProperties () method:

in Hibernate, you can use the SetProperties () method to bind a named parameter to a property value of an object, as in the following program code:

Customer customer=new customer ();
customer.setname ("Pansl");
Customer.setage (+);
Query query=session.createquery ("from Customer C where C.name=:name and C.age=:age");
query.setproperties (customer);

The setproperties () method automatically matches the property value of the Customer object instance to the named parameter, but requires that the named parameter name must have the same name as the property corresponding to the entity object.

There is also a special setentity () method that will correlate named parameters with a persisted object, as shown in the following code:

Customer customer= (customer) Session.load (Customer.class, "1");
Query query=session.createquery ("From Order order where Order.customer=:customer");
query. Setentity ("Customer", customer);
List list=query.list ();

The code above generates an SQL statement similar to the following:

Select * from order where customer_id= ' 1 ';

[goto] Hibernate prevents SQL injection