I would like to launch simple code:
SelectQuery query = dsl.select(field ("id"), field("title")).from("dict.models").getQuery();
if (modelId > 0) query.addConditions(field("model_id", SQLDataType.INTEGER).equal(modelId));
But infortunately in getSQL() I can only see:
select id, title from dict.models where model_id = ?
Where is a mistake?
Thanks.
Query.getSQL() generates the SQL statement as it would be generated if you let jOOQ execute a PreparedStatement - with bind variables. The bind variables can be extracted in the right order via Query.getBindValues()
If you want to inline all bind values into the generated SQL, you have various options through the jOOQ API (all equivalent):
Using Query.getSQL(ParamType) with ParamType.INLINE
Using dsl.renderInlined(QueryPart)
Using StatementType.STATIC_STATEMENT in your Settings
Related
I am currently working on fixing some SQL injection bugs in my project.
Here is my current sql string:
String sql = "select * from :table order by storenum";
Here is how I am setting the parameters:
SQLQuery query = sess.createSQLQuery(sql).setParameter("table", table);
(table is a string that is passed in through a method)
Whenever I run the program I get something like this:
select * from ? order by storenum
You can't dynamically bind table names, only values, so you'll have to resort to string manipulation/concatenation to get the table name dynamically. However, you would probably want to escape it to avoid SQL Injections.
Using Java 11 and JDBC.
Having PostgreSQL table "employee":
I need to have an ability to select data, but I don't know in advance, what WHERE conditions would be used.
It could be:
SELECT * FROM employee WHERE job_name='PRESIDENT';
SELECT * FROM employee WHERE job_name='PRESIDENT' OR salary>6000;
SELECT * FROM employee WHERE salary<5000 AND manager_id=68319;
Writing all possible SQL in the code, would take a lot of time.
Probably, there is some library, that already has implementation for it.
Try sqlBuilder [http://sqlobject.org/SQLBuilder.html]. it has support to build dynamic where clauses based on condition. something like below
var query = SQL
.SELECT("*")
.FROM("employee")
.WHERE()
._If(job_name=="PRESIDENT", "job_name = {0}", job_name)
.ORDER_BY("job_name");
Is any possibility to execute N1QL update query using spring-data?
I.e. I have following update query:
"UPDATE USERS USE KEYS $id SET location = $location"
I tried to use couchbaseTemplate.queryN1QL method, but it doesn't work.
Is there any solution of this problem using spring data or even native couchbase java SDK?
the CouchbaseTemplate is more tailored towards Spring Data document's use case, so it expects to run queries that return specific elements and will end up unmarshalled into entities (eg. a User object).
if you want to run a more freeform query, like your update, you can always access the native SDK from the template. In your case:
String paStatement = "UPDATE USERS USE KEYS $id SET location = $location";
JsonObject paramValues = JsonObject.create().put("id", theId).put("location", "theLocation");
N1qlQuery query = N1qlQuery.parametrized(paStatement, paramValues);
template.getCouchbaseBucket().query(query);
I think you can add RETURNING * at the end of your UPDATE statement. It would make the statement returns something. It works for me.
I am trying to build a query using jOOQ, this is my test code:
DSLContext create = DSL.using(SQLDialect.DERBY);
String query = create.select().from(TABLE).limit(1).offset(0).getSQL()
I get as query:
select field1, field2...fieldN etc from TABLE offset ? rows fetch next ? rows only
the problem is ? in ? rows fetch next ? rows only it seems to ignore the values that i used in limit and offset to build the query, why?
I am trying to select the first row from the results and I am using jooq 3.4.1
Thanks for the help
Query.getSQL() returns your SQL string with ? as placeholders for your bind variables. The idea is that you can feed this statement to a PreparedStatement and then explicitly bind all variables, which are available through Query.getBindValues().
You can also have jOOQ inline all your bind variables, by calling Query.getSQL(ParamType) as such:
String sql = query.getSQL(ParamType.INLINED);
Following on from one of my previous questions to do with method design I was advised to implemented my SQL queries as a parameterized query as opposed to a simple string.
I've never used parameterized queries before so I decided to start with something simple, take the following Select statement:
String select = "SELECT * FROM ? ";
PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "person");
This gives me the following error: "[SQLITE_ERROR] SQL error or missing database (near "?": syntax error)"
I then tried a modified version which has additional criteria;
String select = "SELECT id FROM person WHERE name = ? ";
PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "Yui");
This version works fine, in the my first example am I missing the point of parameterized queries or am I constructing them incorrectly?
Thanks!
Simply put, SQL binds can't bind tables, only where clause values. There are some under-the-hood technical reasons for this related to "compiling" prepared SQL statements. In general, parameterized queries was designed to make SQL more secure by preventing SQL injection and it had a side benefit of making queries more "modular" as well but not to the extent of being able to dynamically set a table name (since it's assumed you already know what the table is going to be).
If you want all rows from PERSON table, here is what you should do:
String select = "SELECT * FROM person";
PreparedStatement ps = connection.prepareStatement(select);
Variable binding does not dynamically bind table names as others mentioned above.
If you have the table name coming in to your method as a variable, you may construct the whole query as below:
String select = "SELECT * FROM " + varTableName;
PreparedStatement ps = connection.prepareStatement(select);
Parameterized queries are for querying field names - not the table name!
Prepared statements are still SQL and need to be constructed with the appropriate where clause; i.e. where x = y. One of their advantages is they are parsed by the RDMS when first seen, rather than every time they are sent, which speeds up subsequent executions of the same query with different bind values.