今天發現了一些使用Hibernate執行查詢的代碼。該查詢使用從表單提交的值。這讓我很好奇這種代碼是否「消毒」了它的輸入。Hibernate的createCriteria()是否清理輸入?
public List<School> search(String query) {
Session session = this.getCurrentSession();
query = "%" + query + "%";
Criteria criteria = session.createCriteria(getPersistentClass());
criteria.createAlias("country", "a");
Criterion nameCriterion = Restrictions.ilike("name", query);
Criterion cityCriterion = Restrictions.ilike("city", query);
Criterion countryCriterion = Restrictions.ilike("a.name", query);
Criterion criterion = Restrictions.or(Restrictions.or(nameCriterion, cityCriterion), countryCriterion);
criteria.add(criterion);
return criteria.list();
}
這是安全嗎?
恰巧我只是看着生成的SQL(這是什麼提醒我檢查這些答案),你是絕對正確的。 – Marvo 2013-04-05 23:05:50