• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Web Application Entity Manager and PreparedStatement functionality

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Am not a guru in web applications, but Am trying to develop a web application, and am using the Entity Manager. The web application involves users posting data to the database. How do I incorporate the entity manager together with the prepared Statement functionality to avoid users corrupting the database with SQL tags?

If I have EJB database session beans, when the content of the database changes, does the information on the web page get automatically updated dynamically on the client machine?
 
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
EntityManager (JPA) shouldn't be mixed with PreparedStatement (JDBC). JPA is built on top of JDBC, but it uses its own mechanisms.

You should check out javax.persistence.Query and javax.persistence.TypedQuery. Both support parameters in a similar way to PreparedStatement, both with JPA queries and with native queries, although if I recall correctly, native queries are limited to positioned parameters only, and named parameters are only supported for JPA queries.
 
Rob Spoor
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Duplicated in also https://coderanch.com/t/646003/EJB-JEE/java/Web-Application-Entity-Manager-PreparedStatement
 
Joseph Maina
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is it that a JPA entity manager can not prevent SQL injection?
 
Rob Spoor
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Have you even read my first reply about parameters in queries?
 
Joseph Maina
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have. Was not able to figure out how it will solve my problem without redesigning or adding new code to my application. My interest is not on queries but users uploading info into the database safely without corrupting my database. Anyway thanks for your help.
 
Rob Spoor
Sheriff
Posts: 22781
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Positional parameters (:1, :2, etc) in JPA queries work just the same as in PreparedStatements, so yes, you can use those to prevent SQL injection. Named parameters (?name) work similarly but using names instead of indexes.
 
I don't even know how to spell CIA. But this tiny ad does:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic