Detecting Injection in Hibernate

I'm using Hibernate and I want to prevent injections into Hibernate prepared statements. Is there a straightforward way to do this? Regards, Hamed

---

Let me rephrase my problem. :-) I have a lot of queries in my code which are in form: session.createQuery(...). There are two kinds of queries. those who have setParameters, and those who does not have. The latter is in form: select * from XYZ where username = '" + username + "' and password = '" + password +开发者_运维知识库 "'" which is not suitable for me. Now, my problem is how I can find second form automatically. Do I have any solution?

---

If you up your logging to DEBUG, you can see what Hibernate is doing. It outputs statements indicating what it's doing with Prepared Statements, including when it reuses them.

---

You will need to up your logging (see @Aaron Sheffey) and turn on show sql. Here is the property to set.

hibernate.show_sql=true

See here for more details on the logging you can do: http://docs.jboss.org/hibernate/core/3.3/reference/en/html/session-configuration.html#configuration-logging

The following log4j properties will place the Hibernate statements into their own file as well.

log4j.logger.org.hibernate=DEBUG, org.hibernate

log4j.appender.org.hibernate=org.apache.log4j.DailyRollingFileAppender 
log4j.appender.org.hibernate.DatePattern=-yyyy-MM-dd-HH
log4j.appender.org.hibernate.File=${catalina.base}/logs/hibernate.log
log4j.appender.org.hibernate.layout=org.apache.log4j.PatternLayout 
log4j.appender.org.hibernate.layout.ConversionPattern=%d{dd MMM yyyy HH\:mm\:ss,SSS} [%t] %-5p %c %x - %m%n