Detecting Injection in Hibernate

I'm using Hibernate and I want to prevent injections into Hibernate prepared statements. Is there a straightforward way to do this? Regards, Hamed

Let me rephrase my problem. :-) I have a lot of queries in my code which are in form: session.createQuery(...). There are two kinds of queries. those who have setParameters, and those who does not have. The latter is in form: select * from XYZ where username = '" + username + "' and password = '" + password +开发者_运维知识库 "'" which is not suitable for me. Now, my problem is how I can find second form automatically. Do I have any solution?

If you up your logging to DEBUG, you can see what Hibernate is doing. It outputs statements indicating what it's doing with Prepared Statements, including when it reuses them.

You will need to up your logging (see @Aaron Sheffey) and turn on show sql. Here is the property to set.

hibernate.show_sql=true

See here for more details on the logging you can do: http://docs.jboss.org/hibernate/core/3.3/reference/en/html/session-configuration.html#configuration-logging

The following log4j properties will place the Hibernate statements into their own file as well.

log4j.logger.org.hibernate=DEBUG, org.hibernate

log4j.appender.org.hibernate=org.apache.log4j.DailyRollingFileAppender 
log4j.appender.org.hibernate.DatePattern=-yyyy-MM-dd-HH
log4j.appender.org.hibernate.File=${catalina.base}/logs/hibernate.log
log4j.appender.org.hibernate.layout=org.apache.log4j.PatternLayout 
log4j.appender.org.hibernate.layout.ConversionPattern=%d{dd MMM yyyy HH\:mm\:ss,SSS} [%t] %-5p %c %x - %m%n