Hibernate example of preventing SQL injection from parameter assignment parameters

From: https://my.oschina.net/u/1754093/blog/707083

1. Binding by parameter name

Define named parameters in the HQL statement to begin with ":" In the following form:

query=session.createQuery(“from User user where user.name=:customername and user:customerage=:age ”); query.setString(“customername”,name); query.setInteger(“customerage”,age); 

In the code above: CustomerName and: customerage define named Parameters CustomerName and Customerage respectively, and then use the Setxxx () method of the query interface to set the name parameter value, the Setxxx () method contains two parameters , which are named parameter names and the actual values of named parameters, respectively.

2, according to the parameter position bonding

In the HQL query statement, "?" To define the parameter position, in the following form:

query=session.createQuery(“from User user where user.name=? and user.age =? ”); query.setString(0,name); query.setInteger(1,age); 

Also use the Setxxx () method to set the binding parameters, except that the first parameter of the Setxxx () method represents the position number of the binding parameter in the HQL statement (starting with 0), and the second parameter still represents the actual value of the parameter.

Note: In the actual development, the use of the name of the state named parameter, because this can not only provide a very good program readability, but also improve the ease of maintenance of the program, because when the location of the query parameter changes, the name of the state parameter is not necessary to adjust the program code.

3. Setparameter () method

In Hibernate's HQL query, you can bind any type of parameter by using the Setparameter () method, as shown in the following code:

String hql=”from User user where user.name=:customername ”; Query query=session.createQuery(hql); query.setParameter(“customername”,name,Hibernate.STRING); 

As shown in the preceding code, the Setparameter () method contains three parameters, namely named parameter names, named parameter actuals, and named parameter mapping types. For some parameter types, the Setparameter () method can have a Java type with more parameter values, guess the corresponding mapping type, so there is no need to display the mapping type at this point, as the above example can write directly:
Query.setparameter ("CustomerName", name), but for some types it is necessary to specify the mapping type, such as The java.util.Date type, as it corresponds to various types of mappings for Hibernate, such as Hibernate.data or Hibernate.timestamp.

4. SetProperties () method

In hibernate, you can use the SetProperties () method to bind a named parameter to a property value of an object, as in the following program code:

Customer customer=new Customer(); customer.setName(“pansl”); customer.setAge(80); Query query=session.createQuery(“from Customer c where c.name=:name and c.age=:age ”); query.setProperties(customer); 

The SetProperties () method automatically matches the property value of the Customer object instance to the named parameter, but requires that the named parameter name must have the same name as the property corresponding to the entity object.
There is also a special setentity () method that will correlate named parameters with a persisted object, as shown in the following code:

Customer customer=(Customer)session.load(Customer.class,”1”); Query query=session.createQuery(“from Order order where order.customer=:customer ”); query. setEntity(“customer”,customer); List list=query.list(); 

Hibernate example of preventing SQL injection from parameter assignment parameters