更新时间:2023-02-05 21:41:14
您应该使用位置参数绑定:
You should use positional parameters binding:
String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");
请注意,您不应按照JPA规范所述在查询中使用命名参数绑定(:empName
)
Please note that you should not use named parameters binding (:empName
) in your query as JPA Spec says
仅位置参数绑定可用于本机查询.
Only positional parameter binding may be portably used for native queries.
这应该可以保护您免受SQL注入攻击.
This should secure you from SQL Injection attacks.