Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Web Application Entity Manager and PreparedStatement functionality  RSS feed

 
Joseph Maina
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Am not a guru in web applications, but Am trying to develop a web application, and am using the Entity Manager. The web application involves users posting data to the database. How do I incorporate the entity manager together with the prepared Statement functionality to avoid users corrupting the database with SQL tags?

If I have EJB database session beans, when the content of the database changes, does the information on the web page get automatically updated dynamically on the client machine?
 
Rob Spoor
Sheriff
Posts: 20893
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
EntityManager (JPA) shouldn't be mixed with PreparedStatement (JDBC). JPA is built on top of JDBC, but it uses its own mechanisms.

You should check out javax.persistence.Query and javax.persistence.TypedQuery. Both support parameters in a similar way to PreparedStatement, both with JPA queries and with native queries, although if I recall correctly, native queries are limited to positioned parameters only, and named parameters are only supported for JPA queries.
 
Rob Spoor
Sheriff
Posts: 20893
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Duplicated in also http://www.coderanch.com/t/646003/EJB-JEE/java/Web-Application-Entity-Manager-PreparedStatement
 
Joseph Maina
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it that a JPA entity manager can not prevent SQL injection?
 
Rob Spoor
Sheriff
Posts: 20893
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you even read my first reply about parameters in queries?
 
Joseph Maina
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have. Was not able to figure out how it will solve my problem without redesigning or adding new code to my application. My interest is not on queries but users uploading info into the database safely without corrupting my database. Anyway thanks for your help.
 
Rob Spoor
Sheriff
Posts: 20893
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Positional parameters (:1, :2, etc) in JPA queries work just the same as in PreparedStatements, so yes, you can use those to prevent SQL injection. Named parameters (?name) work similarly but using names instead of indexes.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!