I have the following query and params. I dont want to execute the query(jdbcTemplate.queryForObject) but instead pass this query with params as string to another method. How can I assign this params to prepared statement and save the query as a string?
final String QUERY = "select * "
+ "from gfc.LSI_ELGBLTY "
+ "where INSURANCE_ID = ? and "
+ "SYS_CD = ? and "
+ "ACCT_TYPE in (?)";
Object[] params = new Object[] {
request.getInsuranceId(),
request.getSystemId(),
AcctNameBuilder.toString()
};
You don't want to do this because replacing ? in a prepared statements with actual values in most cases will force database to re-process and re-plan the SQL query. It's really wasteful, if you already have a prepared statement so use it.
You could however define a shared PreparedStatementCreator object and pass it to JdbcTemplate#query(PreparedStatementCreator psc, ResultSetExtractor<T> rse).
Take a look at String.format.
String.format("Hello %s, %d", "world", 50);
Would return "Hello world 50".
Format specifiers:
%s - insert a string
%d - insert a signed integer (decimal)
%f - insert a real number as standard notation
An other example:
String.format("The {0} is repeated again: {0}", "word");
Return: "The word is repeated again: word"
Related
I'm working on a small program that lists local train stops in a numbered list then asks for the user to type the number of the station that they wish to see the next arrival time for.
The problem I have is I don't think the MySQL query is correct to retrieve the arrival time. The list returns empty. Using jdbc previously, this query worked fine:
"SELECT arrival_time FROM stop_times WHERE stop_id = '"
+ myStation.getID()
+ "' AND arrival_time > time('now', 'localtime') ORDER BY arrival_time asc;";
And the current hibernate query:
public List<String> getArrivals() {
sessionFactoryBean.getCurrentSession().beginTransaction();
String sql = "SELECT arrival_time FROM stop_times WHERE stop_id = '"
+ myStation.getID()
+ "' AND arrival_time > time('now', 'localtime') ORDER BY arrival_time asc;";
Query query = sessionFactoryBean.getCurrentSession()
.createSQLQuery(sql)
.addEntity(Station.class);
List<String> arrivals = query.list();
sessionFactoryBean.getCurrentSession().getTransaction().commit();
return arrivals;
}
Called from this method and where I get IndexOutOfBoundsException:
public String getNextArrival(int user_input) {
getStationName(user_input);
List<String> arrivals1 = arrival.getArrivals();
System.out.println(arrivals1);
System.out.println(arrivals1.size());
String arrivalTime = arrivals1.get(user_input);
return convertTime(arrivalTime);
}
Exception in thread "main" java.lang.IndexOutOfBoundsException: Index: 0,
Size: 0
at java.util.ArrayList.rangeCheck(ArrayList.java:653)
at java.util.ArrayList.get(ArrayList.java:429)
at com.moeller.code.Stops.getNextArrival(Stops.java:73)
Line 73 String arrivalTime = arrivals1.get(user_input);'
The DataBase is stored locally.
There are several problems with this.
First, the query does not use parameters, which means you will likely make this mistake elsewhere where it will be a danger. You have to pass on variables like this:
String sql = "SELECT arrival_time FROM stop_times WHERE stop_id = ?"
+ " AND arrival_time > time('now', 'localtime') ORDER BY arrival_time asc;";
Query query = sessionFactoryBean.getCurrentSession()
.createSQLQuery(sql)
.addEntity(Station.class);
query.setParameter(1, myStation.getID());
See the question mark? That is a positional parameter. You can also use named parameters.
String sql = "SELECT thing FROM table WHERE column1 LIKE :ptrn";
...
query.setParameter("ptrn", "%that%");
Notice how inside the query the parameter starts with :, but it does not when calling setParameter.
This way of safely inserting parameters is called using "Prepared Statements", or "Parameterized Queries". Find a quick tutorial on them, they are very important.
Secondly, in getNextArrival you forget to check if the list has that many elements.
if (arrivals1.size() <= user_input) {
return null;
}
Of course then you have to be careful when it returns a null to the function where it's used.
You are using a wrong method for the List.
when yo use List.get(param) param should be the position that you are looking for, no the userInput.
you need loop the list and compare each position of the list with the user input.
best Regards
I'm trying to use PostgreSQL IF sentence and I use MapSqlParametersSource to pass parameter to the SQL query. Interesting thing happens that if I pass a parameter to IF condition subquery it won't accept (interpret it properly) it, but if I define value in subquery then it will give me the results. So what I mean is this:
This works
MapSqlParameterSource params = new MapSqlParameterSource();
params.addValue("recurr", true);
String sql = "DO " +
"$do$ " +
"BEGIN " +
"IF (SELECT f.recurring_till FROM FINANCE_ENTITY f WHERE f.recurring = true) THEN SELECT amount, name FROM FINANCE_ENTITY; " +
"END IF; " +
"END " +
"$do$";
getNamedParameterJdbcTemplate().query(sql, params, BeanPropertyRowMapper.newInstance(FinanceEntity.class));
This return me results successfully.
This won't work
MapSqlParameterSource params = new MapSqlParameterSource();
params.addValue("recurr", true);
String sql = "DO " +
"$do$ " +
"BEGIN " +
"IF (SELECT f.recurring_till FROM FINANCE_ENTITY f WHERE f.recurring = :recurr) THEN SELECT amount, name FROM FINANCE_ENTITY; " +
"END IF; " +
"END " +
"$do$";
getNamedParameterJdbcTemplate().query(sql, params, BeanPropertyRowMapper.newInstance(FinanceEntity.class));
This will give me always following error:
org.postgresql.util.PSQLException: The column index is out of range: 1, number of columns: 0.
My question is why I can't pass a parameter to my subquery using MapSqlParameterSource?
I use PostgreSQL 9.3.
The problems with parameter passing aside (so this does not directly answer your question) you don't need either a DO statement or an IF for this. A simple SELECT does the job:
SELECT amount, name
FROM FINANCE_ENTITY
WHERE EXISTS (
SELECT 1
FROM FINANCE_ENTITY
WHERE recurring = $1
AND recurring_till
);
More importantly, you cannot return rows from a DO statement at all. So your claim "This return me results successfully" is ... a surprise to say the least. Because that's impossible:
How to perform a select query in a DO block?
PostgreSQL Function PERFORM
I am using postgres 9.1 and java code for jdbc.
I may use a order by clause in my sql query string
I just want to get the meta data information of the query to find whether the query has order by clause or not. If it has then how many fields has been specified in the order by clause.
Ex:
order by age
order by age, name
order by age asc, name desc
In these example I just want to retrieve the number of parameters that are specified in the order by clause and their column names.
If your are getting your query as string you could simply parse it.
i.e. To figure out that ORDER BY is there
"SELECT * FROM MyTable ORDER BY SomeColumn".toLowerCase().indexOf("order by") // if it's return -1 query does not contains order by section otherwise it returns start index for first occurence "ORDER BY" in given string
For more complex searching in string you may need to use RegExp
You can do it by breaking an SQL query into part and then reassigning.
Like
String sql="SELECT NAME,COMPANY,FNAME,AGE FROM COMP_DATA JOIN PERSONAL_DATA WHERE (1=1) AND FNAME='Vaibs' ORDER BY AGE";
While writing in JAVA do as below.
Break Whole query into String parts and recombine it like this.
String strSQL = "SELECT " + "NAME"+",COMPANY"+",FNAME"+",AGE" + "FROM "
+ getTableName1(); //getTableName1() return tablename
strSQL+="JOIN "+ getTable2()+"";//getTable2() return tablename as well
String strWhere = " WHERE (1=1) " + " and FNAME='" + fname+ "';
String orderBySQL = " Order by " + i_will_return_string_to_order_by();
//return AGE in our case
String FinalString= strSQL +strWhere +orderBySQL ;
SOP order by to get what you want.
Hope that helped.
I am trying to implement PreparedStatement, which won't work with sql DB.
Suppose I have the following sql query:
String selectSqlQuery = "SELECT * FROM customer WHERE f1 = ? AND f2 =? AND f3 > ?";
and the following code:
//----
prest = con.prepareStatement(selectSqlQuery );
prest.setString(1, "val1");
prest.setString(2, "val2");
prest.setInt(3, 108);
ResultSet rs = prest.executeQuery();
//---
My question is how to implement setString and setInt methods for injecting params?
For now I save parameters' indexes and values into HashMap, but after it I can't make injection into sql query string.
implementation of sql's java interfaces are part of vendor specific jdbc driver. You probably just need to get the proper jdbc jar file for you database. writing implementations of such stuff is usually just needed if you intend to write your own database driver...
Since you're writing your own driver, you can play with your class a little. Let's change the approach. If you have a query like this one:
"SELECT * FROM table WHERE id = ? AND name = ?"
Replace the ? to turn it into
"SELECT * FROM table WHERE id = {0} AND name = {1}"
About your set methods, those will have to save your new parameters in an Object array, again matching against the index.
Object parameterArray = new Object[1];
public boolean setString(int paramIndex, String param) {
if(paramIndex < 0 || paramIndex > parameterArray.length)
throw new IllegalArgumentException("Can't set parameter " + paramIndex + ", The query only has " + parameterArray.length + " parameters.");
parameterArray[paramIndex - 1] = param;
}
Before executing the query, take advantage of your formatted string and set the parameters:
MessageFormat messageFormat = new MessageFormat(query);
String newQuery = messageFormat.format(parameterArray);
The format method will replace the {number} substrings for the corresponding element in the index represented by the number between brackets.
We're using JdbcTemplate to modify our underlying Oracle database. We're doing this by way of the update(String sql) method.
The code looks somehow like the following:
String name = "My name's yellow";
String sql = "update FIELD set NAME = '" + name "' where ID = 10
jdbcTemplate.update(sql);
This causes the error:
java.sql.SQLException: ORA-00933: SQL command not properly ended
The problem is the unescaped ' in the name variable.
What's the most convenient and correct way to escape this character?
Use PreparedStatement. That way you nominate a placeholder and the JDBC driver will perform this correctly by sending the database the statement, plus the parameters as arguments.
String updateStatement =
"update " + dbName + ".COFFEES " +
"set TOTAL = TOTAL + ? " +
"where COF_NAME = ?";
PreparedStatement updateTotal = con.prepareStatement(updateStatement);
updateTotal.setInt(1, e.getValue().intValue());
updateTotal.setString(2, e.getKey());
The question marks in the above represent the placeholders.
Because these values get passed as parameters, you don't have problems with quoting, and it protects you against SQL injection too.
Try for name :
if ( name.contains("'") ){
name.replaceAll("'", "''");
}