Prepared statements, hibernate and HQL

Question

Hibernate internally uses PreparedStatements under JDBC when converting HQL to SQL. How are inline parameters within an HQL handled ?

example:

  public List<Student> loadAllStudentsByStatus(String status) {
    String queryString = "FROM Student student WHERE student.status = " + status;
    Query queryObject = currentSession().createQuery(queryString);
    return queryObject.list();
  }

Will status be "parsed" and used as a parameter in SQL, or does it get sent as an inline parameter.

My reason behind the argument is "best practices", and query performance for repetitive calls

Answer 1

It gets sent inline. You definitely don't want to do this when status is a client-controlled value.

Rather parameterize it:

return currentSession()
    .createQuery("FROM Student student WHERE student.status = :status")
    .setParameter("status", status)
    .list();

See also:

• OWASP - Hibernate