{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我命由我不由天 的问题《Prepared statements, hibernate and HQL》','https://www.manongdao.com/q-521259.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Hibernate internally uses PreparedStatements under JDBC when converting HQL to SQL. How are inline parameters within an HQL handled ?
example:
public List<Student> loadAllStudentsByStatus(String status) {
String queryString = "FROM Student student WHERE student.status = " + status;
Query queryObject = currentSession().createQuery(queryString);
return queryObject.list();
}
Will status be "parsed" and used as a parameter in SQL, or does it get sent as an inline parameter.
My reason behind the argument is "best practices", and query performance for repetitive calls
It gets sent inline. You definitely don't want to do this when
statusis a client-controlled value.Rather parameterize it:
See also: