I am using simpleJDBCTemplate to insert a value to a postgre database.
String sql "insert into testTable values(:bla, :blah, functionThatTakesAText(':blu'))"
BeanPropertySqlParameterSource namedParameters = new BeanPropertySqlParameterSource(lighting);
simpleJdbcTemplate.update(sql, namedParameters);
Now, the blu parameter is actually a number(the actual sql takes 2 real's ) that is read from a file given by the client.
As a result the database receives something like the following:
insert into testTable values(?, ?, functionThatTakesAText(':blu'))
and fails to replace the :blu parameter as expected.
The current workaround that I'm using is replacing the blu parameter with its value using a regex, but I'm unsure on how safe that is.
How would you solve that?
Spring will skip over anything inside quotes in the SQL (see the skipCommentsAndQuotes() method of NamedParameterUtils), on the basis that anything inside quotes shouldn't be touched.
That makes sense in this context - you would want the prepared statement to say
functionThatTakesAText(?)
rather than
functionThatTakesAText('?')
Try removing the quotes there, and the placeholder should be substituted correctly.
Related
I am currently working on fixing some SQL injection bugs in my project.
Here is my current sql string:
String sql = "select * from :table order by storenum";
Here is how I am setting the parameters:
SQLQuery query = sess.createSQLQuery(sql).setParameter("table", table);
(table is a string that is passed in through a method)
Whenever I run the program I get something like this:
select * from ? order by storenum
You can't dynamically bind table names, only values, so you'll have to resort to string manipulation/concatenation to get the table name dynamically. However, you would probably want to escape it to avoid SQL Injections.
I'm having issues dealing with the single quote while using it in a prepared statement in JAVA via Oracle JDBC.
Let's say we have a table Restaurant with a column restaurant_name with 1 value : Jack's Deli
I want to use a simple prepared statement query like this:
String result = "Jack\'\'s Deli"
String sqlStatement = "select * from Restaurant where restauraunt_name like ? escape '\\' ";
PreparedStatement pStmt = conn.prepareStatement(sqlStatement);
pstmt.setString(1, result);
The result shows 0 returned values, however when I directly search the query in the database (ORACLE) it works fine and retrieves the result. (Oracle uses two single quotes as an escape for the first)
I am thinking that the value is not being passed properly to the database. Or there is some other formatting issue.
The point of prepared statements is that you don't need any escaping.
.setString(1, "Jack's Deli") will get it done.
DELIMITER //
CREATE PROCEDURE temp ( empId INT)
BEGIN
DECLARE var_etype VARCHAR(36);
SELECT
emptype = QOUTE(emptype)
FROM
dms_document
WHERE
id = empid;
SELECT
emptype,
CASE
WHEN emptype = 'P' THEN doctype
ELSE 'No Documents required'
END
FROM
dms_report
WHERE
pilot = 1;
End//
DELIMITER ;
I have created this procedure successfully but when I try to call it, I am getting error 1305 the function database.temp does not exist. I am trying to call using this statement:
SET #increment = '1';
select temp( #increment)
but I get Error, please tell me where I made mistake.
This is how you call it, use use the keyword call and then procedure's name
call procedureName(params);
in call of making an string
String sqlString = "procedureName("+?+")"; //in case of Integers
String sqlString = "procedureName('"+?+"')";//in case of Integers
bring the parameter in prepared statement.
MySQL's documentation on Using JDBC CallableStatements to Execute Stored Procedures explains the necessary steps quite well.
This is what your java code needs to look like:
CallableStatement cStmt = conn.prepareCall("{call temp(?)}");
cStmt.setInt(1, 42); //set your input parameter, empId, to 42.
If you want to work with the rows returned by your stored procedure's query in your Java code, you're also going to need to create an OUT parameter as noted in MySql's documentation page titled, CALL Syntax:
CALL can pass back values to its caller using parameters that are
declared as OUT or INOUT parameters
In order to call your stored procedure from MySQL workbench, use the CALL command. You can call stored procedure by directly setting values for each of the parameters:
SET #increment = 1;
CALL temp(#increment)
Then you simply use the SELECT statement to return the value of your output parameter
SELECT #outParameter
With help setting your output parameters, please read the article MySQL Stored Procedure - SELECT - Example.
Your stored procedure is syntactically wrong, and as mentioned in the comments, you're not using the stored procedure functionality for it's intended use. It's intended to be used for data manipulation not for querying. You should instead consider turning your procedure into a series of prepared statements.
Please let me know if you have any questions!
update <table> set url="http://www.google.com?a=1&something=so"
If I'm updating directly my string is updated till ?a=1 from & it is eliminating. can any one help me in this if my url contains any special symbol and how I need to update. I'm working from java
To avoid problems with string values consider using PreparedStatement and its setString method which will generate proper query with escaped values (if needed).
So try with
PreparedStatement ps = con.prepareStatement("update table set url=?");
// +----------------------------------------------------^
// | represents where we should put value
ps.setString(1, "http://www.google.com?a=1&something=so");
//then execute this statement
use this:-
update [table_name] set url='http://www.google.com?a=1'||'&'||'something=so'
here we are concatenating &, so that it does not create problem while update.
FYI.. if we have & in the string we try to update, oracle consider string following & as a parameter whose value it thinks as if it will be provided at run time, that is the reason why it was troubling you.
I'm trying to pass an array of strings to a select statement and I keep getting the error:
org.postgresql.util.PSQLException: Can't infer the SQL type to use for an instance of clojure.lang.PersistentVector. Use setObject() with an explicit Types value to specify the type to use.
I know that the column type is correct, it looks as if passing a vector is the culprit. What is the correct way to do this?
The sql statement is formatted like so:
"SELECT * FROM said_table WHERE item_id IN (?)"
This answer assumes you are using jdbc and not korma or something like it and need to generate the sql directly instead of going through some tool:
the in directive requires you to crate one ? for each item in the list. I end up using this pattern when something else requires me to build the SQL manually:
(let [placeholders (s/join ", " (repeat (count things-go-here) "?"))
query "SELECT * FROM said_table WHERE item_id IN (%s)"]
(exec-raw [(format query placeholders) things-go-here] :results)
....)