I want to retrieve value from db ,based on jsp textbox value please suggest me accurate HQL query for this purpose:
select all from table where name = en and password = pwd
I have tried for above work via this way but got error in
getHibernateTemplate().find("from User where Employee_Name= ?"+ a);
Error -:
java.lang.reflect.InvocationTargetException
You can do this
Query query = session.createQuery("from User where Employee_Name= :name");
query.setParameter("name", "asdf");
List list = query.list();
or you can do the same as on the first answer
Seems like the issue is with the prepaid statement, you must use
hibernatemplate.find(String queryString,Object value)
Look here for more spec.
Hope this code will fix it.
getHibernateTemplate().find("from User where Employee_Name=?",a);
Query query=session.createQuery("from User where Employee_Name= "+"'en'"+
"and Employee_Pass= " + "'pwd'");
List<User> list=query.list();
Iterator<User > itr=list.iterator();
while(itr.hasNext()){
User q=itr.next();
use getter method of User class to fetch all the values
}
Related
I am facing Second Order SQL Injection in the Spring-Hibernate application after scanning through the Checkmarx tool, I have gone through multiple questions in StackOverflow and in other platforms as well but did not get the right finding.
could you please look into the below code snip,
public String getOrderId(order_name){
String returnId= null;
Query query = entityManager.createNativeQuery("select order_id from order where order_name=?");
List<String> dataset = query.setParameter(1,order_name).getResultList();
if(dataset!=null){
returnId = dataset. Get(0);
}
return returnId;
}
In this above method, while calling getResultList(), getting a high vulnerability issue that, this method returns data flows through the code without being properly sanitized or validated, and eventually used in further database query in the method.
Earlier code was like this,
public String getOrderId(order_name){
String returnId= null;
String q = "select order_id from order where order_name="+order_name;
Query query = entityManager.createNativeQuery(q);
and directly it was used as a string append in query, which I have modified with set parameter,
Query query = entityManager.createNativeQuery("select order_id from order where order_name=?");
List<String> dataset = query.setParameter(1,order_name).getResultList();
but still after getting data from query.getResultSet(), it is asking for sanitizing and validating the data before use in further database query method.
and this return data is being used in further query like select * from return_Data where clause. (properly used in where clause to set parameter to avoid SQL injection).
and in the above query is used in another method where we pass return_Data as input to it.
could you please help here to know what checks and validation can be added to overcome this type of issue. Thanks in advance for prompt response.
Please check the below query I am trying to update a row by the composite key
my key combination is like:
int id
int versionId
String languageId
and query is:
#Transactional
#Modifying
#Query("update languageEntity l set l.language = :language where l.languageId = :languageId")
int UpdateProcessLanguage(#Param("language ") String processDesTranslation, #Param("languageId ") UserLanguageId languageId);
I am not getting any exception. function is returning 0, means no row effected.
please check what is worng.
It's hard to say without knowing the data. As a first step I would log the generated SQL statements (see how to log sql statements in spring-boot) and check if they look right.
Why you dont wan't to use save() method for that? Just change language property on your object and pass it to the save method. It will update the row.
I'm having problems to do a simple permission system on my Webapp. My DB has a table called "usuario" that has informations about the users of the system. One of these columns is called "privilegio" that has value '0' for administrators and 1 for regular users. An administrator has the power to Add and edit users on the system. Im trying to take this behavior querying my database with the cod of the logged user and getting its permission. If the user is not on the administrator group (privilegio=1) then the add/edit/delete buttons will be unset.
public function usuario() {
if($this->session->userdata('logged')){
$crud = new grocery_CRUD();
$crud->set_subject("Usuário");
$crud->set_theme('datatables');
$crud->set_table("usuario");
(...)
$crud->field_type('privilegio','dropdown',array('0'=>'Administrador','1'=>'Usuario'));
(...)
$this->db->select('privilegio');
$this->db->get('usuario');
$result = $this->db->where('cod_func',$this->session->userdata('cod_func'));
if(!$result){
$crud->unset_add();
$crud->unset_edit();
$crud->unset_delete();
}
(...)
The problem (and the question) is that this code only list the user that is logged on, not the others already registered on the system and stored on "usuario" table. I wonder that the list is been made by my query (what is not the behavior I would like) I hope you could undestand my doubt. Sorry for my bad english.
Thank you!
you're having trouble with the active record functions...
When you use the function
$this->db->get('usuario');
This translates to the query:
SELECT * FROM usuario
So try changing your code to something like this:
$this->db->select('privilegio');
$this->db->from('usuario');
$this->db->where('cod_func',$this->session->userdata('cod_func'));
$this->db->limit(1); //You're only expecting one result
$result = $this->db->get(); // Save the result to the variable result
//Edited for the comment, something like
$result = $result->first_row('array'); //Here I'm fetching only the first row into an array
$privilegio = $result['privilegio']; //Im saving the result from the query in the variable $privilegio
This translates to:
SELECT priviliegio FROM usuario WHERE cod_func = 'some_value' LIMIT 1;
Then you can do whatever you want with the $result variable, please refer to documentation to see what you can do...
Generating Query Results
I am implementing an autocomplete functionality using Jquery, when I type the name, it fetches the record from the db, The records stored in db are mixture of capital & small letters. I have written a HQL Query which fetches me the records with case-sensitive, but I need to records irrespective of case. Here is the query,
List<OrganizationTB> resultList = null;
Query query = session.createQuery("from DataOrganization dataOrg where dataOrg.poolName
like '%"+ poolName +"%'");
resultList = query.list();
Ex : If I have pool names, HRMS Data set, Hrms Data, Hr data etc... if I type HR or hr I need to get all the 3 records, which I'm not able to.
Please help...
change your query to
"from DataOrganization dataOrg where lower(dataOrg.poolName)
like lower('%"+ poolName +"%')"
for more information have a look 14.3 doc
A good solution is:
List<OrganizationTB> resultList = null;
Query query = session.createQuery("from DataOrganization dataOrg where lower(dataOrg.poolName) like lower(:poolName)");
query.setParameter("poolName", '%'+poolName+'%', StringType.INSTANCE);
resultList = query.list();
So you protect your code from SQL injection
I'm constructing a hql query that needs to return orders where the User's ID is null:
IList<Order> rows = DataContext.LoadList<Order>(
"from Order " +
"where OrderDate < ? " +
" and User.ID is null" //have also tried 'and User is null'
, DateTime.Today.AddMonths(-1));
This returns no records even though a direct query against the db returns a few dozen.
If I use the same query but replace the 'is null' with '33' (a valid userID), I'll get that user's orders. So the foundation of the query is valid - something's wrong with how I'm expressing the 'is null' bit.
Probably has something to do with the fact that, in the .NET project the Order object contains a complex User object where as in the database, the Orders table just holds integer (ID) that's a foreign key to the User table.
Still - since 'and User.ID = 33' works as expected I don't follow why 'is null' doesn't.
This answer suggests I need to switch of the Criteria route. This answer suggests that my current code should work.
thx
Rather than building a query statement, use a Query factory approach:
Query q = new Query();
q.Criteria.Add(new Criteria("User.ID", CriteriaOperator.IsNull));
Works.