I am trying to execute a Cassandra query in Java8.
My query is
SELECT * FROM customer where aor='north'
and I execute it with
session.execute(query)
and got correct answer.
But then I changed my query to SELECT * FROM customer where aor=?
PreparedStatement statement = session.prepare(query);
BoundStatement boundStatement = statement.bind("'north'");
ResultSet results = session.execute(boundStatement);
for (Row row : results) {
System.out.println(row.toString());
}
This is not working. No errors showing but I am not getting any result.
Can someone please help
When you are using statement.bind("'north'"); it means that you want literally find 'north'.
Just change your string to north and it will work as you wanted
Related
I am facing Second Order SQL Injection in the Spring-Hibernate application after scanning through the Checkmarx tool, I have gone through multiple questions in StackOverflow and in other platforms as well but did not get the right finding.
could you please look into the below code snip,
public String getOrderId(order_name){
String returnId= null;
Query query = entityManager.createNativeQuery("select order_id from order where order_name=?");
List<String> dataset = query.setParameter(1,order_name).getResultList();
if(dataset!=null){
returnId = dataset. Get(0);
}
return returnId;
}
In this above method, while calling getResultList(), getting a high vulnerability issue that, this method returns data flows through the code without being properly sanitized or validated, and eventually used in further database query in the method.
Earlier code was like this,
public String getOrderId(order_name){
String returnId= null;
String q = "select order_id from order where order_name="+order_name;
Query query = entityManager.createNativeQuery(q);
and directly it was used as a string append in query, which I have modified with set parameter,
Query query = entityManager.createNativeQuery("select order_id from order where order_name=?");
List<String> dataset = query.setParameter(1,order_name).getResultList();
but still after getting data from query.getResultSet(), it is asking for sanitizing and validating the data before use in further database query method.
and this return data is being used in further query like select * from return_Data where clause. (properly used in where clause to set parameter to avoid SQL injection).
and in the above query is used in another method where we pass return_Data as input to it.
could you please help here to know what checks and validation can be added to overcome this type of issue. Thanks in advance for prompt response.
We have a scenario wherein while doing a batch update on a table using JdbcBatchItemWriter, We are not finding a way to not update is the attribute is null. We don't want to have too many queries and ItemPreparedStatementSetter so we have a single query to update all fields in the table. Different batch jobs set update different attributes of the table
List<Report> summaryList = getSummaryList()
JdbcBatchItemWriter<ItemMktDcGpReport> writer1 = new JdbcBatchItemWriter<>();
String sql_update = GenericConstants.UPDATE_QUERY;
writer1.setDataSource(dataSource);
ItemPreparedStatementSetter<Report> updatePreparedStatementSetter = new ItemMergeUpdatePreparedItemSetter();
writer1.setItemPreparedStatementSetter(updatePreparedStatementSetter);
writer1.setSql(sql_update);
writer1.afterPropertiesSet();
writer1.write(summaryList);
Tried the following seeing few examples on conditional update at the query but it doesn't help yet.
Below is the query. Any help on this will be very much appreciated.
UPDATE_QUERY = "update [dbo].[test_tbl]
SET test_col1 = CASE When ?!=0 then ?
else test_col1 end ,
test_col2 = CASE When ?!=0 then ?
else test_col2 WHERE market=? and country = ?"
I don't want to construct the SQL query based on parameter as I will lose out on the bulk writing feature of JdbcBatchItemWriter. Can someone please suggest the right approach to solve this problem and possibly correct the SQL query I'm writing?
I want to execute prepardStatement in getsqlMapClientTemplate() method.One of preparedStatement parameter value is received by another query result.Is it possible to execute like this?
like
String query="select Id_no from employee";
String resultQuery="select empSalary from employeePay where Id=?";
prepareStatement ps=con.preprepareStatement(query); // Instead of connection reference i want to use getSqlMapClientTemplate
ResultSet rs=ps.executeQuery();
while(rs.next()){
//pst.setInt(1,rs.getInt(1)); // here if i want to pass dynamic value to execute resultQuery
pst.setInt(1,userGivenValue);
PrepareStatement pst=con.prepareStatement(resultQuery); //
pst.executeQuery();
forpreparedStatement instead of connection object i want to use getSqlMapClientTemplate() method.
You don't want a SqlMapClientTemplate you want a JdbcTemplate instead.
Next your solution is flawed as it falls into the 1+N select problem, ie. you execute a single query to get a list of ids then for each id issue another query. Creating a single query which does everything in one shot is more effecient.
final String query = "select empSalary from employeePay where Id in (select Id_no from employee)"
JdbcTemplate template = getJdbcTemplate();
List<Long> salaries = template.queryForList(query, Long.class);
Something like that.
Or if you want to use the SqlMapClientTemplate simply add the query to the ibatis configuration and let iBatis (instead of the JdbcTemplate) handle the hard lifting for you.
I have an issue related to the performance of a SQL query using JPA.
Response time:
Using Toad - 200 ms
Inside my project using Glassfish 2.1, Java 1.5, Hibernate 3.4.0.ga - 27 s
Oracle 10g
Glassfish and Toad are hosting in the same machine. I have connected to other ddbb from the same Glassfish, JPA, etc, and performance is good. so I don't know what is happening.
I have two different environments. In one of this (the worst, theoretically) it runs fast. In the other, it's where I have the problem.
The query is executed with a Javax.persistence.Query object and in this object are inserted the parameters with the method setParameter(). After that, I call to getResultList() method and this method returns the registers to me. In this point is where the time is excessive.
But, if I replace the parameters in code and I call to getResultList() method directly, without setting parameters into Query object, the performance is much better.
Anyone could help me with any clue about the problem or how to trace it?
Query
SELECT A, B, ..., DATE_FIELD FROM
(SELECT A, B, C FROM Table1
WHERE REGEXP_LIKE(A, NVL(UPPER(:A),'')) AND DATE_FIELD = :DATE
UNION
SELECT A, B, C FROM Table2
WHERE REGEXP_LIKE(A, NVL(UPPER(:A),'')) AND DATE_FIELD = :DATE)
Java Code
public Query generateQuerySQL(String stringQuery, HashMap<String, Object> hParams) {
Query query = em.createNativeQuery(stringQuery);
if (hParams != null) {
for (Iterator<String> paramNameList = hParams.keySet().iterator(); paramNameList.hasNext() {
String name = paramNameList.next();
Object value = hParams.get(name);
query.setParameter(name, value);
}
}
return query;
}
Query query = em.createNativeQuery(stringQuery);
will elaborate a query plan to execute the query. Unfortunally the metadata that is used to elaborate the query plan do not fit the actual parameters values that will be used when the query will be executed.
If you substitute the parameter before elaborating the plan : the plan is fine and run very fast.
Similar question here
you should change cursor_sharing = FORCE in oracle to enable hibernate support in JPA for oracle.
please refer to following for more details
There is a ascending default index on column “wimindex”.
I want to retrieve just recent one using oracle hint like below.
But it seems that Oracle query hint doesn’t work.
Of course this query is working well on Oracle sql/plus.
Just QT QSqlQuery doesn’t work.
Would you help me ? or any hint?
Below is my code.
thanks…
QString lastWimIdxQuery = “SELECT **/*+ index_rs_desc(VIOLATE, VIOLATE) */** WIMINDEX FROMVIOLATE WHERE wimindex > 0 and rownum =1”;
query.exec(lastWimIdxQuery);
int fieldNo = query.record().indexOf(“WIMINDEX”);
if(query.next()) {
this->m_lastWimIdx = query.value(fieldNo).toInt();
qDebug()<<this->m_thread_name << “ : “ << this->m_lastWimIdx;
}else { return; }
Seems that QT is perhaps eating the comment/hint and not passing it to the database? Create a view in the database using your query and select from that to confirm this hypothesis:
CREATE OR REPLACE VIEW LastWMIdxView as
SELECT **/*+ index_rs_desc(VIOLATE, VIOLATE) */** WIMINDEX
FROM VIOLATE
WHERE wimindex > 0 and rownum =1;
Then use that view in your code:
QString lastWimIdxQuery = "SELECT wmindex FROM LastWMIdxView";
Alternatively, you could run your query as is and check the v$sql view to see what was parsed:
SELECT sql_text
FROm v$sql
WHERE UPPER(sql_text) LIKE '%VIOLATE%';
If it turns out that the comments are being eaten, unless there's a way to control that in QT I think you'll probably have to use the view as outlined above.