remove CAUTION from doc because actually this is safe enough

This commit is contained in:
Gavin King 2023-07-25 18:47:49 +02:00 committed by Christian Beikov
parent 7f5e80145d
commit 80e249f0fb
1 changed files with 4 additions and 6 deletions

View File

@ -705,14 +705,11 @@ query.select(book).where(where)
Here, as before, the classes `Book_` and `Author_` are generated by Hibernate's <<metamodel-generator,JPA Metamodel Generator>>. Here, as before, the classes `Book_` and `Author_` are generated by Hibernate's <<metamodel-generator,JPA Metamodel Generator>>.
[CAUTION] [NOTE]
// .Injection attacks and criteria queries // .Injection attacks and criteria queries
==== ====
Notice that we did not bother treating `titlePattern` and `namePattern` as parameters. Notice that we did not bother treating `titlePattern` and `namePattern` as parameters.
That's safe because, _by default_, Hibernate automatically and transparently handles any literal string passed to the `CriteriaBuilder` as a JDBC parameter. That's safe because, by default, Hibernate automatically and transparently treats strings passed to the `CriteriaBuilder` as JDBC parameters.
But this behavior is controlled by the configuration setting `hibernate.criteria.value_handling_mode`.
If you change the default behavior, and set the property to `INLINE` instead of `BIND`, you _must_ pass user-input via a JPA `ParameterExpression`.
==== ====
Execution of a criteria query works almost exactly like execution of HQL. Execution of a criteria query works almost exactly like execution of HQL.
@ -1180,3 +1177,4 @@ In this section we'll quickly sketch some general strategies for avoiding "quagm
(Sure, we can be a bit cantankerous at times, but we _do_ always want you to be successful.) (Sure, we can be a bit cantankerous at times, but we _do_ always want you to be successful.)
- Always consider other options. - Always consider other options.
You don't have to use Hibernate for _everything_. You don't have to use Hibernate for _everything_.