时间:2022-12-06 01:26
hql防止sql注入的方法:
1.在HQL语句中定义命名参数要用”:”开头,例如:
Query query=session.createQuery(“from User user where user.name=:customername and user:customerage=:age ”);
query.setString(“customername”,name);
query.setInteger(“customerage”,age);
2.在HQL查询语句中用”?”来定义参数位置,例如:
Query query=session.createQuery(“from User user where user.name=? and user.age =? ”);
query.setString(0,name);
query.setInteger(1,age);
3.在Hibernate的HQL查询中可以通过setParameter()方法邦定任意类型的参数,例如:
String hql=”from User user where user.name=:customername ”;
Query query=session.createQuery(hql);
query.setParameter(“customername”,name,Hibernate.STRING);