In EJB query, it's recommended to use setParameters() instead of concatenating string parameters in order to avoid SQL injection attack.
My question is: how to set parameters within '' in SQL update statements with 'SET':
String basicQuery = "update some table set somecolumn = ':para'";
Query query = em.createQuery(basicQuery);
query.setParameters("para", someString);
The runtime complains that it cannot locate parameter "para". Any workaround is appreciated.
Remove the single quotes around
:para.