Open stazz opened 12 years ago
Although, developers should be strongly adviced to use ? as a placeholder for variables, in conjunction to java.sql.PreparedStatement -objects. Hence this should be a low-priority issue.
Actually, this has more to do with situation where things like column names etc are taken from the user input. Therefore, all string parameters of all factory methods in SQL Generator should be sanitized.
Couldn't theses be PreparedStatements parameters too?
Well yes, but I meant the cases when you get user input for eg. your column names in table definition. Can't use prepared statement parameters there, IIRC. I might be wrong, but there are cases where you can't use prepared statements or PS parameters.
Make the strings produced by java-sql-generator take into account the possiblity for SQL injection.