hql防止sql注入的方法:
1.在HQL語句中定義命名參數要用”:”開頭,例如:
Query query=session.createQuery(“from User user where user.name=:customername and user:customerage=:age ”);
query.setString(“customername”,name);
query.setInteger(“customerage”,age);
2.在HQL查詢語句中用”?”來定義參數位置,例如:
Query query=session.createQuery(“from User user where user.name=? and user.age =? ”);
query.setString(0,name);
query.setInteger(1,age);
3.在Hibernate的HQL查詢中可以通過setParameter()方法邦定任意類型的參數,例如:
String hql=”from User user where user.name=:customername ”;
Query query=session.createQuery(hql);
query.setParameter(“customername”,name,Hibernate.STRING);
