October 18, 2010

Passing Values to ViewObject Binding Parameters

Using Named Bind Parameters with ViewObjects

In order to avoid any SQL injection attacks , named bind variables or positional parameters approach is recommended wherever you set ViewObject where clause.

Here is the code snippet for the bind parameter approach:

public void addWhereClauseWithNamedBindParams(){
        ViewObject vo=this.getEmployee();
     
        vo.setWhereClause(null);
      
        vo.setWhereClause("Empno=:eNo");
        vo.defineNamedWhereClauseParam("eNo",new Integer("123"),null);
        vo.executeQuery();
      
        vo.removeNamedWhereClauseParam("eNo");
        vo.setWhereClause(null);
    }


Using Positional Parameters

Here is the code snippet for positional parameters approach:

public void addWhereClause(){
        ViewObject vo=this.getEmployee();
      
        vo.setWhereClauseParams(null);
        vo.setWhereClause(null);
      
        vo.setWhereClause("Eno=:1");

        vo.setWhereClauseParams(new Object[]{new Integer("123")});
      
        vo.executeQuery();
      
        vo.setWhereClauseParams(null);
        vo.setWhereClause(null);
    }

No comments: