I have seen the HQL SQL injection topic at How to prevent SQL Injection in hibernate?. But I could not understand how doesQuery.setParameter("<parameter name>",<parameter value>)
eliminate SQL injection,
If a malicious user passestrue = true
to following HQL,String hqlString = "from Item item where name= '"+nameValue+"'";
then he can pass it toquery.setString("name"+ nameValue)
also!
Does setString() and all of its sister methods have any filter to check SQL injection?
The JDBC or Hibernate driver will escape this data appropriately before the query is executed; making sure that data is used just as data.
Before executing query, the driver will escape characters like the following: