Hibernate 参数前缀';后不允许有空格:';JPA
我得到一个错误:参数前缀“:”后不允许有空格,我已尝试使用\:=进行转义,但它不起作用问题是您没有使用,而且它还使您容易受到SQL注入的攻击Hibernate 参数前缀';后不允许有空格:';JPA,hibernate,spring-boot,jpa,Hibernate,Spring Boot,Jpa,我得到一个错误:参数前缀“:”后不允许有空格,我已尝试使用\:=进行转义,但它不起作用问题是您没有使用,而且它还使您容易受到SQL注入的攻击 This is my query: EntityManager em = null; EntityTransaction et = null; try { em = entityManagerFactory.createEntityManager(); et = em.get
This is my query:
EntityManager em = null;
EntityTransaction et = null;
try {
em = entityManagerFactory.createEntityManager();
et = em.getTransaction();
et.begin();
String q = "UPDATE naeb_application_processes SET process_info="+processinfo+", status=1 WHERE application_id="+naebappid+" AND process_id=44";
System.out.println(q);
Query query = em.createNativeQuery(q);
query.executeUpdate();
et.commit();
} catch (Exception e) {
if(et != null) {
et.rollback();
}
// TODO: handle exception
e.printStackTrace();
resp = "FAILED";
}
finally {
em.close();
resp = "OK";
}
来自外部的每个参数都必须作为名称添加到查询中,以:
开头,并且应该简单,如上所示。然后使用query.setParameter
将这些参数传递到查询中。始终遵循此做法以确保数据安全
您应该做的另一件事是确保您只为每个HTTP请求创建一个EntityManager,而不是为每个查询创建一个EntityManager,并始终在类似这样的try finally语句中关闭它。在哪一行出现错误,您可以共享堆栈跟踪吗?在查询query=em.createNativeQuery(q)上;线路。processinfo变量似乎包含“:”字符
EntityManager em = entityManagerFactory.createEntityManager();
EntityTransaction et = null;
try {
et = em.getTransaction();
et.begin();
String q = "UPDATE naeb_application_processes SET process_info=:pinfo, status=1 WHERE application_id=:appid AND process_id = :pid";
System.out.println(q);
Query query = em.createNativeQuery(q);
query.setParameter("pinfo", processinfo);
query.setParameter("appid", naebappid);
query.setParameter("pid", 44); //or 44L depending on your database and layout
query.executeUpdate();
et.commit();
} catch (Exception e) {
if(et != null) {
et.rollback();
}
// TODO: handle exception
e.printStackTrace();
resp = "FAILED";
}
finally {
em.close();
resp = "OK";
}