[hibernate-issues] [Hibernate-JIRA] Commented: (HHH-2576) Allow native-sql to have placeholders for default schema and catalog
Paul Benedict (JIRA)
noreply at atlassian.com
Tue Nov 3 13:17:53 EST 2009
[ http://opensource.atlassian.com/projects/hibernate/browse/HHH-2576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=34422#action_34422 ]
Paul Benedict commented on HHH-2576:
------------------------------------
In regards to SQL injection, I concur. When I was writing above, I neglected to mention that all properties could be exposed through an HQL function to make them legitimate values. Otherwise, the only injection possible is through {h-schema/catalog}.
Although not explicitly stated, I thought {h-fn xxx} would use tuple syntax just like any other function?
> Allow native-sql to have placeholders for default schema and catalog
> --------------------------------------------------------------------
>
> Key: HHH-2576
> URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-2576
> Project: Hibernate Core
> Issue Type: Improvement
> Components: query-sql
> Affects Versions: 3.2.3
> Reporter: Max Rydahl Andersen
> Attachments: HHH-2576-01.patch
>
>
> we shold consider allowing something like:
> <sql-query name="queryName" callable="true">
> { call ${default_schema}.storedProcName() }
> </sql-query>
> similar for normal SQL queries too.
> <sql-query name="queryName">
> select * from ${default_schema}.CUSTOMER x where ...
> </sql-query>
> Maybe ${catalogschema} should be allowed to which would be the full prefix needed dependent on the dialect and would free one from having both catalog and schema + poper seperators in there.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the hibernate-issues
mailing list