#Autowired
NamedParameterJdbcTemplate namedParameterJdbcTemplate;
public List<Contact> findByPhoneWithNamedParameters(String phone) {
MapSqlParameterSource namedParameters = new
MapSqlParameterSource().addValue("phone", phone);
String sqlQ = getSqlQuery(namedParameters);
namedParameters.addValue("anotherCondition", sqlQ);
String sql = "select * from Contact c where c.phone=:phone
:anotherCondition";
return namedParameterJdbcTemplate.query(sql, namedParameters, new ContactRowMapper());
}
private String getSqlQuery(MapSqlParameterSource namedParameters) {
return " and c.name='Saman'";
}
The above one is generating the query like below:
select * from Contact c where c.phone='09137390432' ' and c.name=''Saman'''
getSqlQuery() return value is embeddigng within single quotes, with that query is not working as expected.
I tried to concatenate the value directyle instead of namedParams;
But in my case, I have to avoid the SQL Injection.
How to resolve this?
You should only use named parameters with the actual values you want to pass to the query, not with whole SQL sub-parts. Otherwise it will escape also the valid SQL quotes.
So you should change your code to something like this:
private String getAdditionalSqlConditions(MapSqlParameterSource namedParameters) {
namedParameters.add("name", "Saman");
return "c.name = :name";
}
public List<Contact> findByPhoneWithNamedParameters(String phone) {
MapSqlParameterSource namedParameters = new MapSqlParameterSource().addValue("phone", phone);
String conditions = getAdditionalSqlConditions(namedParameters);
String sql = "select * from Contact c where c.phone=:phone and " + conditions);
return namedParameterJdbcTemplate.query(sql, namedParameters, new ContactRowMapper());
}
Related
I want to delete multiple database entries at once. Each entry should only be deleted if 3 fields match (here: name, email, age).
If I'd just wanted to delete by a single property, I'd go for:
String sql = "DELETE FROM persons WHERE (email) IN (?)";
JdbcTemplate template;
template.execute(sql, Arrays.asList(emails...));
But what if my condition is formed by multiple fields?
String sql = "DELETE FROM persons WHERE (name, email, age) IN (?, ?, ?)";
JdbcTemplate template;
template.execute(sql, ...); ???
The condition should always match all 3 fields (AND)!
Use the batchUpdate(sql, batchArgs, argTypes) method.
String sql = "DELETE FROM persons WHERE name = ? AND email = ? AND age = ?";
int[] argTypes = { Types.VARCHAR, Types.VARCHAR, Types.INTEGER };
List<Object[]> batchArgs = new ArrayList<>();
batchArgs.add(new Object[] { "John Doe", "john#example.com", 42 });
batchArgs.add(new Object[] { "Jane Smith", "jane#example.com", 47 });
. . .
JdbcTemplate template = ...;
int[] rowCounts = template.batchUpdate(sql, batchArgs, argTypes);
A batchUpdate is what you are looking for here. You would need to change/tweak your query a little bit though.
If you can pass a list of objects (you must match the class members with the values on the SQL query), it can be done automatically:
private final NamedParameterJdbcTemplate namedParameterJdbcTemplate;
// class People { String name; String email; Integer age; }
final String sql = "DELETE FROM persons WHERE name = :name AND email = :email AND age = :age";
final SqlParameterSource[] batchArgs = SqlParameterSourceUtils.createBatch(people.toArray()); // List<People>
final int[] results = namedParameterJdbcTemplate.batchUpdate(sql, batchArgs);
logger.debug("{} record(s) inserted successfully", results.length);
The other approach would be what #Andreas proposed.
I would also recommend to use, always, parameterized queries: DELETE FROM persons WHERE name = :name AND email = :email AND age = :age.
am trying to form a query based on parameters, if the parameters for WHERE clause is null or not. it seems to be a huge code if i do this on if and else. Is there any other smart way to this??
example :
String query = "SELECT CUSTOMER_NAME FROM CUSTOMER_TABLE WHERE ";
if(cust_id !=null && !(cust_id.trim().equalsIgnoreCase("")))
{
query = query + "cust_id='"+cust_id+"'";
}
else
{
}
checking all the columns like this, the code is looking like a mess, please let me know if there is an other way to do this
adding to the above question :
I also have the parameters for like operator
example
if(strCustName!=null)
{
String query = "SELECT * FROM CUSTOMER WHERE CUSTOMER_NAME LIKE '"+strCustName+"';
}
You can use NamedParameterJDBCTemplate
And your query could be
... WHERE (cust_id=:custIdParam OR :custIdParam is null)
AND (another_column=:another_param OR :another_param is null)
UPDATE:
String sqlstr = "select * from the_table where lastname like :lastname or :lastname is null"
NamedParameterJdbcTemplate jt = new NamedParameterJdbcTemplate(datasource);
Map namedParameters = new HashMap();
namedParameters.put("lastname", "%test%");
SqlRowSet result = jt.queryForRowSet( sqlstr ,namedParameters );
from the link
Can't seem to find a way to get one string from table using JdbcTemplate query.
This is the table my sql returns:
ID | STREET_NAME
------------------------
1 | Elm street
Now how am I supposed to get the value of STREET_NAME. SQL always returns one row, so no need to worry about returning more than one row.
For some background info:
INNER JOIN and COUNT in the same query
Using Tony Stark answer to get my table.
But how can I extract "Elm street" from it using JdbcTemplate?
It would help a lot to know what your SQL query looks like, but assuming it's something like SELECT STREET_NAME FROM table WHERE ID=1;
CODE:
public String getStreetNameById(int id) {
JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
String sql = "SELECT STREET_NAME FROM table WHERE ID=?";
String streetName = (String) jdbcTemplate.queryForObject(
sql, new Object[] { id }, String.class);
return streetName;
}
The class JdbcTemplate implements JdbcOperations.
If you look at the queryForObject javadocs in JdbcOperations it states:
Deprecated. as of 5.3, in favor of queryForObject(String, Class, Object...)
Basically, they have changed the method signature to get rid of Object[] arguments in the method signatures in favor of varargs. Please, see the relevant Github issue.
You can rewrite answer of #jlewkovich with the new method signature like this:
public String getStreetNameById(int id) {
JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
String sql = "SELECT STREET_NAME FROM table WHERE ID=?";
String streetName = (String) jdbcTemplate.queryForObject(
sql, String.class, id);
return streetName;
}
If you want to get only one column "string" from your table (or any query with joins), you have to say the name of the column.
Using SELECT * FROM TABLE is a very-very bad practice by the way. I bet you did this.
#JLewkovich modified code:
public String getStreetNameById(int id) {
JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
String sql = "SELECT STREET_NAME FROM table WHERE ID=?";
String streetName = (String) jdbcTemplate.queryForObject(
sql, new Object[] { id }, String.class);
return streetName;
}
But what if there is 0 or more than one result?
Think about it!
But to getting a sequence value (in Oracle), this should work.
public Long getSequence() {
Long seq;
String sql = "select SEQ_XY.NEXTVAL from dual";
seq = jdbcTemplateObject.queryForObject(sql, new Object[] {}, Long.class);
return seq;
}
As per latest specification queryForObject with below syntax is now deprecated
<T> T queryForObject(String sql, Object[] args, Class<T> requiredType)
New method uses varargs.
<T> T queryForObject(String sql, Class<T> requiredType, Object... args)
Updated Solution: We have to replace the class type with Object args and vice-versa.
Sql Query: SELECT STREET_NAME FROM table WHERE ID=1;
public String getStreetNameById(int id) {
JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
String sql = "SELECT STREET_NAME FROM table WHERE ID=?";
String streetName = (String) jdbcTemplate.queryForObject(
sql, String.class, new Object[] { id });
return streetName;
}
I usually do this way:
String result = DataAccessUtils.singleResult(
jdbcTemplate.queryForList(
"SELECT street_name FROM table WHERE id = :id",
Collections.singletonMap("id", id),
String.class
)
)
queryForList is used instead of queryForObject for handling empty results. queryForObject throws EmptyResultDataAccessException for empty results. Often it is not desired behavior.
DataAccessUtils.singleResult + queryForList:
returns null for empty result
returns single result if exactly 1 row found
throws exception if more then 1 rows found. Should not happen for primary key / unique index search
DataAccessUtils.singleResult
I need a stored procedure to compare mobile number list in my database table.
Example my table contain 100 rows,I pass java String array to stored procedure to get matching row values return.
The array contain multiple mobile numbers.
If any mobile numbers matched in my table mobile number column value it return row values.
Any possibilities available ?
If available please help me..
I have other solution it's working in spring Jdbc with mysql.
private static final String GET_MATCHING_MOBILE_NUMBERS = "SELECT USER_ID, USER_NAME, REGISTRATION_ID, IMEI_CODE, MOBILE_NUMBER FROM USER WHERE MOBILE_NUMBER IN (";
#Override
#Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_COMMITTED)
public List<UserDO> getMatchingExistingUsers(final String[] mobileNumbers) throws UserDataException {
JdbcTemplate jd = this.getJdbctemplate();
Object[] params = mobileNumbers;
List<UserDO> userDOs = jd.query(getSqlQuery(GET_MATCHING_MOBILE_NUMBERS, mobileNumbers), params, new BeanPropertyRowMapper<UserDO>(UserDO.class));
return userDOs;
}
private String getSqlQuery(String query_string, String[] array_values) {
StringBuilder query_builder = new StringBuilder();
query_builder.append(query_string);
for (#SuppressWarnings("unused")
String values : array_values) {
query_builder.append("?,");
}
query_builder.append("*");
String formated_query = query_builder.toString().replace(",*", ")");
return formated_query;
}
I want Mysql stored procedure if possible for above code..
Advance thanks..
Select query is
private static final String GET_MATCHING_MOBILE_NUMBERS = "SELECT USER_ID, USER_NAME, REGISTRATION_ID, IMEI_CODE, MOBILE_NUMBER FROM USER WHERE FIND_IN_SET(MOBILE_NUMBER,?);";
Jdbc code is
List<UserDO> userDOs = jd.query(GET_MATCHING_MOBILE_NUMBERS, new Object[] { formatedSqlText }, new BeanPropertyRowMapper<UserDO>(UserDO.class));
It's working fine without using String Builder and Stored procedure.
I got a Login class:
if((!(name.equals(null) || name.equals("")) && !(password.equals(null) || password.equals(""))))
{
try{
loggedUser = checkLogin(name, hexPass.toString());
if(!loggedUser.isEmpty())
{
userdbId = loggedUser.get(0);
userdbName = loggedUser.get(1);
userdbPsw = loggedUser.get(2);
userdbType = loggedUser.get(3);
...
And a user DAO:
public List<String> checkLogin(String uname, String password) {
Session session = null;
List<String> lst = new ArrayList<String>();
try {
session = getSession();
String sql = "select * from user where uname='" + uname + "' and password='" + password + "'";
Query query = session.createSQLQuery(sql)
.addScalar("Id", StringType.INSTANCE)
.addScalar("uname", StringType.INSTANCE)
.addScalar("password", StringType.INSTANCE)
.addScalar("utype", StringType.INSTANCE);
lst = query.list();
}
catch (Exception e){
e.printStackTrace();
}
return lst;
}
The userdbId = loggedUser.get(0); generates error: 500
java.lang.ClassCastException: [Ljava.lang.Object; cannot be cast to java.lang.String
com.se.pl.actions.LoginAction.execute(LoginAction.java:95)
I do not understand why this is happening since list of 4 strings is going to be put into 4 variables.
The error means that you have an Object and you are doing an implicit cast to String, so that's the error.
userdbId = loggedUser.get(0);
You can fix that by adding toString() method like:
userdbId = loggedUser.get(0).toString();
Of course, you are going to get the string representation for that object.
Note that if you have your own object you are going to get the following representation:
getClass().getName() + '#' + Integer.toHexString(hashCode())
In case you have this, you will need to override the toString() method in your class
You should use TypedQuery<T> instead of query and create objects of user entity type(if you have it defined - you definitely should have one) - it should look something like this (do not take this code literaly! I mainly use OpenJPA)
TypedQuery<UserEntity> query= session.createQuery("SELECT u FROM UserEntity u WHERE name=:name AND password=:password");
query.addParam("name",name);
query.addParam("password",password);
This probably should help:
Query query = session.createSQLQuery(sql)
.addScalar("Id", StringType.INSTANCE)
.addScalar("uname", StringType.INSTANCE)
.addScalar("password", StringType.INSTANCE)
.addScalar("utype", StringType.INSTANCE)
.setResultTransformer(org.hibernate.Criteria.ALIAS_TO_ENTITY_MAP);
Map row = (Map) query.uniqueResult();
lst.add((String) row.get("Id"));
lst.add((String) row.get("uname"));
lst.add((String) row.get("password"));
lst.add((String) row.get("utype"));