remove CAUTION from doc because actually this is safe enough
This commit is contained in:
parent
a438474f45
commit
147cf6b112
|
@ -705,14 +705,11 @@ query.select(book).where(where)
|
|||
|
||||
Here, as before, the classes `Book_` and `Author_` are generated by Hibernate's <<metamodel-generator,JPA Metamodel Generator>>.
|
||||
|
||||
[CAUTION]
|
||||
[NOTE]
|
||||
// .Injection attacks and criteria queries
|
||||
====
|
||||
Notice that we did not bother treating `titlePattern` and `namePattern` as parameters.
|
||||
That's safe because, _by default_, Hibernate automatically and transparently handles any literal string passed to the `CriteriaBuilder` as a JDBC parameter.
|
||||
|
||||
But this behavior is controlled by the configuration setting `hibernate.criteria.value_handling_mode`.
|
||||
If you change the default behavior, and set the property to `INLINE` instead of `BIND`, you _must_ pass user-input via a JPA `ParameterExpression`.
|
||||
That's safe because, by default, Hibernate automatically and transparently treats strings passed to the `CriteriaBuilder` as JDBC parameters.
|
||||
====
|
||||
|
||||
Execution of a criteria query works almost exactly like execution of HQL.
|
||||
|
@ -1214,4 +1211,5 @@ In this section we'll quickly sketch some general strategies for avoiding "quagm
|
|||
Instead, _understand_ what you're doing; study the Javadoc of the APIs you're using; read the JPA specification; follow the advice we give in this document; go direct to the Hibernate team on Zulip.
|
||||
(Sure, we can be a bit cantankerous at times, but we _do_ always want you to be successful.)
|
||||
- Always consider other options.
|
||||
You don't have to use Hibernate for _everything_.
|
||||
You don't have to use Hibernate for _everything_.
|
||||
|
||||
|
|
Loading…
Reference in New Issue