From 80e249f0fb96b1c28a300c3a426474d9968138f6 Mon Sep 17 00:00:00 2001 From: Gavin King Date: Tue, 25 Jul 2023 18:47:49 +0200 Subject: [PATCH] remove CAUTION from doc because actually this is safe enough --- .../src/main/asciidoc/introduction/Interacting.adoc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/documentation/src/main/asciidoc/introduction/Interacting.adoc b/documentation/src/main/asciidoc/introduction/Interacting.adoc index 2de26e6abe..85f047411f 100644 --- a/documentation/src/main/asciidoc/introduction/Interacting.adoc +++ b/documentation/src/main/asciidoc/introduction/Interacting.adoc @@ -705,14 +705,11 @@ query.select(book).where(where) Here, as before, the classes `Book_` and `Author_` are generated by Hibernate's <>. -[CAUTION] +[NOTE] // .Injection attacks and criteria queries ==== Notice that we did not bother treating `titlePattern` and `namePattern` as parameters. -That's safe because, _by default_, Hibernate automatically and transparently handles any literal string passed to the `CriteriaBuilder` as a JDBC parameter. - -But this behavior is controlled by the configuration setting `hibernate.criteria.value_handling_mode`. -If you change the default behavior, and set the property to `INLINE` instead of `BIND`, you _must_ pass user-input via a JPA `ParameterExpression`. +That's safe because, by default, Hibernate automatically and transparently treats strings passed to the `CriteriaBuilder` as JDBC parameters. ==== Execution of a criteria query works almost exactly like execution of HQL. @@ -1179,4 +1176,5 @@ In this section we'll quickly sketch some general strategies for avoiding "quagm Instead, _understand_ what you're doing; study the Javadoc of the APIs you're using; read the JPA specification; follow the advice we give in this document; go direct to the Hibernate team on Zulip. (Sure, we can be a bit cantankerous at times, but we _do_ always want you to be successful.) - Always consider other options. - You don't have to use Hibernate for _everything_. \ No newline at end of file + You don't have to use Hibernate for _everything_. +