Member
Quote problem with Spring+Hibernate
I am using Spring and Hibernate to persist my objects and it works fine except when I have single quotes in some fields of some objects.
I know that single quotes are special caracters for SQL and they must be "quoted". But I thought that Hibernate will be clever enough to do that sort of things.
It seems it's not the case so what is the best way to do this ?
I don't want to modify the setters and getters of these fields to do the conversion.
Thanks in advance.
Spring Guy
Spring Team
You need to escape the fields, see: http://www.hibernate.org/hib_docs/re...queryinterface
Costin Leau
SpringSource - http://www.SpringSource.com- Spring Training, Consulting, and Support - "From the Source"
http://twitter.com/costinl
Please use [ c o d e ] [ / c o d e ] tags
Senior Member
Hibernate should handle single quotes as long as you use parameters. Take a look at the link posted above and make sure you're not doing something like:
If there is still a problem can you post the relevant code.Code:String query = "from Skill where skillName = '"+skillname+"'";
Spring Guy
Spring Team
One problem with escaping the String yourself is that, it's possible to do SQL injection, meaning craft such a string thay you break the escaping. In Hibernate In Action I think there are some mention about it, but in short, use named parameters as much as possible; it's safer.
Costin Leau
SpringSource - http://www.SpringSource.com- Spring Training, Consulting, and Support - "From the Source"
http://twitter.com/costinl
Please use [ c o d e ] [ / c o d e ] tags
Member
It works fine with parameters.
Thanks.
Senior Member
Spring Team
You should never use raw String parameters. Not only are they prone to SQL injection and escaping issues, they mean that Hibernate can't use a PreparedStatement, so the JDBC usage is inefficient (through no fault of Hibernate or Spring).
Posting Permissions
Reply With Quote