Hibernate binding Parameters

Advantages of using binding parameters:

Why do we use binding named parameters? The existence of any one thing has its value, specific to the binding parameters for HQL query, there are the following two main advantages:
①, performance optimizations can be implemented with databases

Because Preparestatement is used at the bottom of hibernate to complete queries, SQL statements with different syntax parameters can take advantage of precompiled SQL statement caching to improve query efficiency.

A lot of people write hql: String hql = "from TUser user where user.nage= '" + username + "' and user.password= '" + Password + "'";
In fact, this writing is very bad, poor performance, low security.
1, coding messy, low readability
2, it is difficult to optimize the query performance, because
From TUser user where user.nage= ' Jack ' and user.password= ' abc '
And from TUser user where user.nage= ' Jack ' and user.password= ' 123 '
For the database is two different sentences, the previous cache is unusable, resulting in a performance optimization policy failure

②, prevents the generation of SQL injection security vulnerabilities :
SQL injection is a special attack on SQL statements, such as for our common user login, in the login interface, the user input user name and password, the login validator may generate the following HQL statement:
"From user user where user.name= '" +name+ "' and user.password= '" +password+ "'"
This HQL statement is logically not a problem, this login verification function is normally done correctly, but if you enter "Zhaoxin or ' x ' = ' x" in the user name at login, if you use a simple HQL statement to assemble the string, The following HQL statement is generated:
"From user user where user.name= ' zhaoxin ' or ' x ' = ' x ' and user.password= ' admin '";
Obviously the WHERE clause of the HQL statement will always be true, and the role of the user's password is meaningless, which is the basic principle of the SQL injection attack.
With the binding parameter, the problem can be handled properly, and when the binding parameter is used, the following HQL statement is obtained:
From user user where user.name= ' zhaoxin ' or ' x= ' x ' and user.password= ' admin ';
This shows that using a binding parameter resolves the single quotation mark entered in the user name into a string (if you want to include single quotes in a string, you should use repeating single quotes), so parameter binding can effectively prevent SQL injection security vulnerabilities.

Parameter binding
Hibernate provides rich support for dynamic query parameter binding, so what is dynamic binding of query parameters? In fact, if we are familiar with the traditional JDBC programming, we will not be difficult to understand the query parameter dynamic binding, the following code traditional JDBC parameter binding:
Preparestatement pre=connection.prepare ("select * from User where user.name=?");

Pre.setstring (1, "zhaoxin");

ResultSet Rs=pre.executequery ();

This is also provided in hibernate in the query parameter binding function, and in Hibernate for this feature also provides more than the traditional JDBC operation Rich features, in hibernate there are 4 kinds of parameter binding method, the following we will describe separately:

　
A, binding by parameter name
Define named parameters in the HQL statement to begin with ":" In the following form:
Query query=session.createquery ("From user user where User.name=:customername and user.customerage=:age");
Query.setstring ("CustomerName", name);
Query.setinteger ("Customerage", age);
　

In the code above: CustomerName and: customerage define named Parameters CustomerName and Customerage respectively, and then use the Setxxx () method of the query interface to set the name parameter value, the Setxxx () method contains two parameters , which are named parameter names and the actual values of named parameters, respectively.
　　
B, according to the parameters of the location of the state
In the HQL query statement, "?" To define the parameter position, in the following form:
Query query=session.createquery ("From user user where user.name=?") and User.age =? ”);
Query.setstring (0,name);
Query.setinteger (1,age);
Also use the Setxxx () method to set the binding parameters, except that the first parameter of the Setxxx () method represents the position number of the state parameter in the HQL statement (starting from 0), and the second parameter still represents the actual value of the parameter.
Note: In the actual development, the use of the name of the state named parameter, because this can not only provide a very good program readability, but also improve the ease of maintenance of the program, because when the location of the query parameter changes, the name of the state parameter is not necessary to adjust the program code.
　　
C, Setparameter () method
In Hibernate's HQL query, you can use the Setparameter () method to state any type of parameter, as follows:
String hql= "from user user where user.name=:customername";
Query query=session.createquery (HQL);
Query.setparameter ("CustomerName", name,hibernate.string);

As shown in the preceding code, the Setparameter () method contains three parameters, namely named parameter names, named parameter actuals, and named parameter mapping types. For some parameter types the Setparameter () method can guess the corresponding mapping type based on the Java type of the parameter value, so there is no need to display the mapping type at this point, as in the example above, you can write it directly:
Query.setparameter ("CustomerName", name), but for some types it is necessary to specify the mapping type, such as the java.util.Date type, because it corresponds to many of Hibernate's mapping types, such as Hibernate.data or Hibernate.timestamp.
　　
D, SetProperties () method
In hibernate, you can use the SetProperties () method to bind a named parameter to a property value of an object, as in the following program code:
Customer Customer=new customer ();
Customer.setname ("Pansl");
Customer.setage (80);
Query query=session.createquery ("from Customer C where C.name=:name and C.age=:age");
Query.setproperties (customer);
The SetProperties () method automatically matches the property value of the Customer object instance to the named parameter, but requires that the named parameter name must have the same name as the property corresponding to the entity object.
There is also a special setentity () method that will correlate named parameters with a persisted object, as shown in the following code:
Customer customer= (Customer) Session.load (Customer.class, "1");
Query query=session.createquery ("From Order order where order.customer=:customer");
Query. Setentity ("Customer", customer);
List list=query.list ();
The code above generates an SQL statement similar to the following:
Select * from order where customer_id= ' 1 ';

Hibernate binding Parameters