How to set parameters within '' in EJB query

Question

In EJB query, it's recommended to use setParameters() instead of concatenating string parameters in order to avoid SQL injection attack.

My question is: how to set parameters within '' in SQL update statements with 'SET':

String basicQuery = "update some table set somecolumn = ':para'";
Query query = em.createQuery(basicQuery);
query.setParameters("para", someString);

The runtime complains that it cannot locate parameter "para". Any workaround is appreciated.

score 1 · Answer 1 · answered Nov 28 '11 at 20:37

1

Remove the single quotes around :para.

answered Nov 28 '11 at 20:37

aCodeMonkey

This answer would have been just |_| that much better if you had said, "The quotes are not needed when using named parameters and are interfering with the syntax" as opposed to just saying "remove them". – Doug Moscrop Nov 28 '11 at 20:52
No it will not - you're not writing SQL. You're writing EJBQL (or JPAQL) which is an abstraction. `:para` is the syntax for a named parameter (named "para") and `setParameter` takes the name and value, and the JPA implementation will sanitize the input, add quotes, etc. – Doug Moscrop Nov 28 '11 at 21:33

1 Answers1