I am trying to execute the query "find all merchants whose ids are in this list" (where the id is #GeneratedValue UUID string) in my spring data neo4j application.
Using query methods, that would (AFAIK) translate to either of:
List<Merchant> findByIdIn(List<String> ids);
List<Merchant> findByIdIsIn(List<String> ids);
In my swagger UI, I can see the endpoints, but when I pass in a valid id, no results are returned:
However, if I execute the same method programatically, the correct results are returned:
Similarly, the GET /merchants/90c55d4b-b3dc-4ae3-ab43-4d6ff523a20b endpoint returns the expected element.
This leads me to believe the internal translation of the HTTP request to the query isn't correct (most likely due to the list arg). The exact same thing happens (no results are returned) if I use a custom #Query, despite using the accepted solution from this s/o question:
#Query("MATCH (m: Merchant)" +
"WHERE m.id in $merchantId " +
"RETURN m")
List<Merchant> customQuery(List<String> merchantIds);
Am I missing something here? How do I query using a list as an argument? Thanks!
Related
I am facing Second Order SQL Injection in the Spring-Hibernate application after scanning through the Checkmarx tool, I have gone through multiple questions in StackOverflow and in other platforms as well but did not get the right finding.
could you please look into the below code snip,
public String getOrderId(order_name){
String returnId= null;
Query query = entityManager.createNativeQuery("select order_id from order where order_name=?");
List<String> dataset = query.setParameter(1,order_name).getResultList();
if(dataset!=null){
returnId = dataset. Get(0);
}
return returnId;
}
In this above method, while calling getResultList(), getting a high vulnerability issue that, this method returns data flows through the code without being properly sanitized or validated, and eventually used in further database query in the method.
Earlier code was like this,
public String getOrderId(order_name){
String returnId= null;
String q = "select order_id from order where order_name="+order_name;
Query query = entityManager.createNativeQuery(q);
and directly it was used as a string append in query, which I have modified with set parameter,
Query query = entityManager.createNativeQuery("select order_id from order where order_name=?");
List<String> dataset = query.setParameter(1,order_name).getResultList();
but still after getting data from query.getResultSet(), it is asking for sanitizing and validating the data before use in further database query method.
and this return data is being used in further query like select * from return_Data where clause. (properly used in where clause to set parameter to avoid SQL injection).
and in the above query is used in another method where we pass return_Data as input to it.
could you please help here to know what checks and validation can be added to overcome this type of issue. Thanks in advance for prompt response.
I'm trying to map my entity to projection using the below query but i'm getting error as
Exception : could not extract ResultSet SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet
here is the query
#Query("select rf.rfqID as rfqID,rf.creationDate as creationDate," +
"rf.deadLineDate as deadLineDate,rf.details as details," +
"rf.message as message, rf.rfqDoc as rfqDoc," +
"CASE WHEN (rf.creationDate > CURRENT_DATE) THEN 'open' ELSE 'closed' END as status," +
"rf.rfqMembers as rfqMembers " +
"from RFQ rf where rf.createdBy = ?1")
Page<RfqDto> loadAllRfq(String creator, Pageable pageable);
In my Dto I have an extra status column which I don't want to persist in db and would like to get the status via query
here is my projection interface
public interface RfqDto {
String rfqID();
Date creationDate();
Date deadLineDate();
String details();
String message();
String rfqDoc();
String status();
List<RfqMember> rfqMembers();
}
The root cause of your problem is here:
In my Dto I have an extra status column which I don't want to persist in db and would like to get the status via query
As it's explained in the documentation:
The important bit here is that the properties defined here exactly match properties in the aggregate root.
...
The query execution engine creates proxy instances of that interface at runtime for each element returned and forwards calls to the exposed methods to the target object.
So, you can not use spring data jpa projection for your case. You can not use hibernate/jpa projection as well, because it dose not support collections in row results.
You can try to use Blaze-Persistence Entity Views. See for example this answer.
How can I achieve this query
select *
from table t
where name like '%Ami%'
order by (name = 'Ami') desc, length(col);
(just the sort part)
Using springframework Sort..
What I tried is
Sort.by(Sort.Direction.DESC, "name") // But I need to sort by name = 'Ami'
Sort.by(Sort.Direction.DESC, "name" = 'Ami'") // throws an error
JpaSort.unsafe(Sort.Direction.DESC, "name" = 'Ami'") // throws an error
Looks like the documentation has an example almost identical to your question:
https://docs.spring.io/spring-data/jpa/docs/2.4.5/reference/html/#jpa.query-methods.sorting
However, using Sort together with #Query lets you sneak in
non-path-checked Order instances containing functions within the ORDER
BY clause. This is possible because the Order is appended to the given
query string. By default, Spring Data JPA rejects any Order instance
containing function calls, but you can use JpaSort.unsafe to add
potentially unsafe ordering.
In my hyperledger-composer app with angular front-end I want to send a query to the REST server.
query selectEmployeesByProject {
description: "Select all employees with access to the specified project"
statement:
SELECT org.comp.app.Employee
WHERE (projects CONTAINS [_$project])
ORDER BY [lastName, firstName]
}
Employee is defined as follows:
participant Employee {
o String lastName
o String firstName
--> Project[] projects optional
}
The http-request that is sent is the following:
this.httpClient.get<any[]>(requestURL, {withCredentials: true});
whereby the request url is the following:
http://localhost:4200/api/queries/selectEmployeesByProject?projects=resource:org.comp.app.Project#project1ID
In the console I get the following error message:
Failed to load resource
http://localhost:4200/api/queries/selectEmployeesByProject?projects=resource:org.comp.app.Project#project1ID
the server responded with a status of 400 (Bad Request)
Why is the query not working?
In general, httpRequests to the REST-server work in my app. Even other queries work. However, queries with the "CONTAINS" operator (such as the one above) do not work.
more likely to be
query selectClientsByProjects {
description: "Select all clients with access to a certain project"
statement:
SELECT org.myComp.myApp.Client
WHERE (projects CONTAINS [_$project])
ORDER BY [lastName ASC, firstName ASC]
}
Note: At the time of writing - CouchDB does not allow the ORDER BY clause to contain multiple items of different sort direction (obviously not the case above).
Also - not tested but your http call may need to be:
this.http.get('http://localhost:4200/api/queries/selectClientsByProjects?projects=resource:org.myComp.myApp.Project%231')
(%23 is the ASCII for '#')
You can try it out your definition first anyway (eg. without ORDER BY maybe) etc etc. Note: CONTAINS must match one entry ('array contains an element, with complete string match (above), in any element, in that array)
in my Spring MVC project i m using Hibernate, by using Criteria API i am applying Group BY and Order BY clause. Query get executed on DB successfully and it brings result also but its an array of Object--
Here is code of Criteria API
Criteria criteria = session.createCriteria(DashboardSubindicatorSubmission.class, "DashboardSubindicatorSubmission")
.setProjection(Projections.projectionList()
.add(Projections.sum("InputValue").as("InputValue"))
.add(Projections.groupProperty("fkAccademicYearId"))
.add(Projections.groupProperty("fkAssessmentPlanID"))
.add(Projections.groupProperty("fkSubindicatorID"))
.add(Projections.groupProperty("InputTitle")))
.addOrder(Order.asc("fkAccademicYearId"))
.addOrder(Order.asc("fkAssessmentPlanID"))
.addOrder(Order.asc("InputTitle"));
List<DashboardSubindicatorSubmission> dashboardSubindicatorSubmissionList = (List<DashboardSubindicatorSubmission>)criteria.list();
session.flush();
transaction.commit();
return dashboardSubindicatorSubmissionList;
I am casting criteria.list() to List<DashboardSubindicatorSubmission> but when i try to do dashboardSubindicatorSubmissionList.get(i) on controller it gives me exception java.lang.ClassCastException: [Ljava.lang.Object; cannot be cast to mkcl.accreditation.model.DashboardSubindicatorSubmission.
i come to know that, though i m casting it to List<DashboardSubindicatorSubmission> still its an list of object[] thats why i cant do dashboardSubindicatorSubmissionList.get(i) because it returns me object of DashboardSubindicatorSubmission. (Correct me if i am wrong)
So how can i convert my result into list of DashboardSubindicatorSubmission class?
Does setResultTransformer() helps me in this case?
You have two options. When you use projections, Hibernate doesn't know how to respect each field because it uses the name of each field to build objects and he doesn't know the names yet.
Thus, your first option is to name the fields grouped so that they match the names of object properties. This is necessary even if the string you use in projection is already the name of the object field. Something like:
.add(Projections.groupProperty("fkAccademicYearId"), "fkAccademicYearId") // same value
.add(Projections.groupProperty("fkAssessmentPlanID"), "other") // other value
The second option is to do what you yourself suggested, create your own implementation of ResultTransformer. I reckon this a interesting option if you want to extract other object of this query, as when you make a report.