I have a question and I hope you answer it please.
I want to use Spring framework with Standard jdbc like this
"SELECT usernmae FROM users WHERE username='" + usename + '"
Is it possible to do that I donot want to use prepared statement. It is just sample query.
JDBC is no more or less vulnerable to SQL injection than any other SQL connection mechanism. Vulnerability to SQL injection falls on the hands of the people who write the code. JDBC templates provide a way to manage the connection with the database not necessarily protect you from SQL injection. You are still more than capable of writing crappy code with a JDBC template that is vulnerable to SQL injection.
Edit To address the update to your question. You can do that, there is a simple query method in the JDBC template, but doing so would make you vulnerable to SQL injection. The simple answer: always use prepared statements. The only time you can safely avoid using them is if you are not including any input in the query that can from the user. However, you are far better just using a prepared statement even in those cases on the off chance that your assumption is incorrect or it changes down the road. Always, always, always use prepared statements. There is also some performance benefits to using them as the SQL engine can cache the compiled statement for later use, rather than having to recompile the SQL statement each time.
Related
I'm working on a simple task of adding a new table to an existing SQL DB and wiring it into a SpringBoot API with SpringData.
I would typically start by defining the DB table directly, creating PK and FK, etc and then creating the Java bean that represents it, but am curious about using the SpringData initialization feature.
I am wondering when and where Spring Data + JPAs schema generation and DB initialization may be useful. There are many tutorials on how it can be implemented, but when and why are not as clear to me.
For example:
Should I convert my existing lower environment DBs (hand coded) to initialized automatically? If so, by dropping the existing tables and allowing the App to execute DDL?
Should this feature be relied on at all in production envrionment?
Should generation or initialization be run only once? Some tutorial mention this process running continually, but why would you choose to lose data that often?
What is the purpose of the drop-and-create jpa action? Why would
you ever want to drop tables? How are things like UAT test data handled?
My two cents on these topics:
Most people may say that you should not rely on automated database creation because it is a core concept of your application and you might want to take over the task so that you can lnowmfor sure what is really happening. I tend to agree with them. Unless it is a POC os something not production critical, I would prefer to define the database details myself.
In my opinion no.
This might be ok on environments that are non-productive. Or on early and exploratory developments. Definetely not on production.
On a POC or on early and exploratory developments this is ok. In any other case I see this being useful. Test data might also be part of the initial setup of the database. Spring allows you to do that by defining an SQL script inserting data to the database on startup.
Bottomline in my opinion you should not rely on this feature on Production. Instead you might want to take a look at liquibase or flyway (nice article comparing both https://dzone.com/articles/flyway-vs-liquibase), which are fully fledged database migration tools on which you can rely even on production.
My opinion in short:
No, don't rely on Auto DDL. It can be a handy feature in development but should never be used in production. And be careful, it will change your database whenever you change something on your entities.
But, and this is why I answer, there is a possibility to have hibernate write the SQL in a file instead of executing it. This gives you the ability to make use of the feature but still control how your database is changed. I frequently use this to generate scripts I then use as blueprint for my own liquibase migration scripts.
This way you can initially implement an entity in the code and run the application, which generates the hibernate sql file containing the create table statement for your newly added entity. Now you don't have to write all those column names and types for the database table yourself.
To achieve this, add following properties to your application.properties:
spring.jpa.hibernate.ddl-auto=none
spring.jpa.properties.javax.persistence.schema-generation.scripts.create-target=build/generated_scripts/hibernate_schema.sql
spring.jpa.properties.javax.persistence.schema-generation.scripts.action=create
This will generate the SQL script in your project folder within build/generated_scripts/hibernate_schema.sql
I know this is not exactly what you were asking for but I thought this could be a nice hint on how to use Auto DDL in a safer way.
How does OBIEE generate the sql statements that are then run against the target database? I have a report that generates one SQL statement when executed against Oracle database and completely different when executed via jdbc driver against Apache Drill. My problem is that in the second case the query is not even syntactically valid.
I've read this - http://gerardnico.com/wiki/dat/obiee/query_compiler
but still don't understand the mechanism through which Oracle decides on the actual query to be executed based on the driver.
OBIEE uses a "common metadata model" known as the RPD. This has a logical model of your data, along with the physical data source(s) for it. When a user runs a report it is submitted as a "logical" query that the BI Server then compiles using the RPD to generate the necessary SQL query (or queries) against the data sources.
Whilst Hive and Impala definitely work with OBIEE, I've not heard of Drill being successfully used. If you've got the connectivity working then to sort out the query syntax it generates you need to fiddle with the DBFeatures configuration which OBIEE uses to understand what SQL statements are valid for a given database. So if Drill doesn't support, for example, INTERSECT, you simply untick INTERSECT_SUPPORTED (I'm paraphasing the exact dialog terminology).
Can an application developed with oracle queries in DB layer
Be run on an SQLServer Database with the help of an ODBC driver
Maybe, if you used only ANSI SQL statements. ODBC will happily send the text of the query to the query parser on the server and as long as the server can parse it, it will run.
If, however, you have used anything that's specific to Oracle (and that's a long, long list), then it won't work so well.
All that ODBC provides you is abstraction from the connection details -- the driver, the server name, the port numbers etc.
So, how do you get true independence? Generally, you'll use a query generation library like Hibernate which knows how to translate a query language of some kind (HQL) to the specifics for that particular database (PL/SQL or Transact/SQL).
Short answer: Not reliably.
Longer answer: Not through ODBC, but using a JDBC driver for Microsoft SQL Server then perhaps if the application was developed only with ANSI standard SQL. Usually, that is not the case and some PL/SQL code will have been used. If an equivalent piece of T-SQL can be written then it is possible to port the application. But, to your question, this is largely immaterial to the database connection mechanism.
Addendum: Object Relational Mapping tools usually use dialects to generate database independent queries. Other options include using configuration to select the correct queries at run-time (if you need to support both database types).
I was having a bit of trouble figuring this out so I thought I'd ask explicity...
Does oracle's ODP.Net or ODT entity framework support IQueyable - ie. If I create simple paging or query in linq will it run the query on the database?
I'm roughly aware that there are commercial products that will work with oracle to do this - I see DevArt pop up quite a bit.
Thanks,
Sam
You can use NHibernate to run LINQ queries against Oracle database.
NHibernate uses it's "language" called HQL to talk to various databases. And they also built LINQ provider that creates HQL that is in the second phase sent to target DB.
After a bit more searching, it appears the ODP.Net will convert queries into SQL code, but ... poorly on occasion?
see
https://community.oracle.com/thread/2598619
for details & more relevant resources see
https://community.oracle.com/community/developer/english/oracle_database/windows_and_.net/odp.net/content
& enter tag "paging"
According to the last comment in the thread https://community.oracle.com/thread/2349719, linq actully generates the SQL.. interesting
I need to see the query being sent to Oracle from a Java program. In the PostgreSQL JDBC driver, toString() does the job, but the same does not apply to prepared statements from Oracle JDBC implementation. Any ideas how to achieve that?
Check out Log4Jdbc. This sits between your JDBC driver and the application, logging all DB traffic that goes back and forth. It's driver-agnostic, so need for driver-specific logging code.
Extremely handy, and would be even handier if it supported DataSources, but sadly it doesn't.
I think the getOriginalSql() method returns the String being sent to Oracle.