DB resources is vulnerable to (H)SQL injection

[bruno]

DB resources builds queries by injecting parts from the URI into them, unescaped.

See for example this code in JpaUtils?:

where.append(select.toString() + ".id = ");
where.append(segment.isVariable() ? attributes.get(segment.getName()) : segment.getName());

There is some sort of a protection though because of issue #131.

[mpo]

there is a plan to address some extra features in dbresources post 0.4
see ​http://kauriproject.org/wiki/g2/319-kauri.html