searope / jwpl

Automatically exported from code.google.com/p/jwpl
0 stars 0 forks source link

PageQueryIterable doesn't escape special characters #131

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Create PageQuery object with title pattern containing quote character (').
2. Invoke wikipedia.getPages(pageQuery).

What is the expected output? What do you see instead?
I'm getting hibernate exception saying nested transaction is not supported.

What version of the product are you using? On what operating system?
1.0

Please provide any additional information below.
In PageQueryIterable class, the SQL query shouldn't be created by concatenating 
some strings. I have fixed this issue myself temporarily by using query with 
named parameters and then binding them to proper values from PageQuery object. 
I'm pasting the code change below:

...
String hql = "select p.pageId from Page as p where p.name like :name";
Query q = session.createQuery(hql);
q.setParameter("name", query.getTitlePattern());
pageIdList = q.list();
...

Note I need only title pattern field in the HQL query.

Original issue reported on code.google.com by lukasz...@gmail.com on 9 Nov 2014 at 8:52

GoogleCodeExporter commented 9 years ago
Thanks for reporting this.
There already is a TODO in the code for quite a while that says we need to 
improve that.

PageQuery is not used very often, as it is not implemented efficiently anyway, 
fixing this has low priority.
Any time going into this would probably better be invested in a proper indexing.

I leave that issue open in order to document the short-coming.

Original comment by torsten....@gmail.com on 12 Nov 2014 at 4:46