I have an application with a feature where user can make native SQL queries to database. Is there a way in hibernate to restrict native SQLQuery to only make SELECT queries?
Currently doing the query like this:
Query query = session.createSQLQuery(sql);
query.setResultTransformer(AliasToEntityOrderedMapResultTransformer.INSTANCE);
List<Map<String, Object>> aliasToValueMapList = query.list();
I know I have an option to create a SQL user with restricted privileges but would be nice to have this feature as backup as sometimes I have no control over the DB management.
I would not want to use sql.contains("update") style approach as in some occasions these "keywords" (update/delete etc.) could be needed in searching the data.
Related
I want to restrict delete/update statements
This is what I am trying
ResultSet rs = stmt.executeQuery("delete from test where id=243640033")
Ideally executeQuery method of JDBC should not allow update, delete and etc. But Crate Database is simply executing delete queries. Then I tried connection.setReadOnly(true) and it did not work
Is there any way to restrict Crate JDBC doing update/delete/drop operations from stmt.executeQuery(somequery) method ?
You could create a CrateDB user with Data Query Language (DQL) privileges only and subsequently use this user to connect with JDBC. This will prevent all INSERT / UPDATE / DELETE / DROP operations.
CREATE USER read_only WITH (password = '<secure-password>');
GRANT DQL TO read_only;
If required you can further restrict access only to specific schemas, tables or views. Compare the documentation on how to achieve this.
I am trying to write a query to fetch list as this query is native sql query, all I need is to transform to spring jpql in which I am failing badly. if there is any link related to this please let me know
I am supposed to get list from this query. as this query is working fine with postgres console but when I even tried this with spring jpa as native query
it is showing results in console but not fetching in service layer [edit:] I mean not calculating any result set.
I am sure I am missing some important/small thing here.
below is the native postgres query
selcet t.id,count(*), count(*) filter (where t.status = 'DONE') from table t where t.id in ([list]) group by t.id
what Im trying is
SELECT t.id, count(t), count(t.id) where staus = 'DONE' from Table t where t.id in ([list]) group by t.id
edit: with constructor based query this is not even working
I am not even sure how to start this query
while being new to this I am not even able to start how to solve this.
Any hint, insight will be useful
I'm using hibernate 3.6.4.Final and sql server 2008 r2 and got a query on a table with more than 20 million records. Criteria api does unfortunatly generate sub-optiomal queries when paging (select top 100010 from ... for result 100000 - 100010 ) when using firstResult / maxResult so I've reverted to native sql.
This queries run blazingly fast in sql studio but using named or positional parameters in hibernate those queries crawl painfully slow. Googling along I couldn't find any solution so I'm currently concatenating parameters which allows sql injections, but this is of course no option for production!
Now I'm wondering if there's something I've overlooked or at least some hibernate api or library I'm not aware of which I could use to sanitize parameters before rolling my own and probably failing to catch some edge case...
Unfortunately, Criteria API is the best way to avoid sql injection, but it is so slow, the best way is to use normal Hibernate Queries with dynamic parameters, i mean For ex:
String stringQuery ="select * from User as u where id = :id";
Query query=session.createQuery(stringQuery);
query.setParameter("id",12);
OR u can make your query more dynamic by creating a new Class MyQueryBuilder
public class myQueryBuilder(){
public Query buildQuery(int id){
String stringQuery ="select * from User as u where u.id = :id";
Query query=session.createQuery(stringQuery);
query.setParameter("id",12);
return query;
}
public Query buildQuery(int id,String name){
String stringQuery ="select * from User as u where u.id = :id and u.name = :name";
Query query=session.createQuery(stringQuery);
query.setParameter("id",12);
query.setParameter("name",name);
return query;
}
...
//Later you can call the query builder methods as you want depending on your params
}
and remember that it is always safe using setParameter() Method
I'm connecting to a database using jdbc, getting list of all schemas and tables from database (I assume that some databases may return at this point only tables which current user can query, but some of databases return full list of tables) and when user try to query some tables he get "insufficient privileges" error.
Is there a way to get only tables, user can query using only jdbc capabilities? Without writing special query to database.
Now I'm looking at
DatabaseMetaData dbMeta = connection.getMetaData()
dbMeta.getTablePrivileges(null, null, null);
But from result of this query it's not so clear which exactly tables can user query.
Currently I'm working with SAP HANA database, but in general it may be any database, so I'm looking for some common approach.
Please look at
http://docs.oracle.com/javase/7/docs/api/java/sql/DatabaseMetaData.html#getTablePrivileges%28java.lang.String,%20java.lang.String,%20java.lang.String%29
You have to get the each row from the ResultSet and query of column name TABLE_NAME which contains the table name and PRIVILEGE which contains the access of each table.
I got very typical issue. My dynamically generated query like this...
UPDATE Templates t SET t.TEMPLATE_DATA = replace(t.TEMPLATE_DATA, 'Test\'s Test', 'Kent"s Test'), t.TEMPLATE_DATA = replace(t.TEMPLATE_DATA, 'Test"s Test', 'Kent"s Test'), UPDATE_DATE = NOW() where PRACTICE_ID = 1 AND CATEGORY_ID IN (1)
This works perfect when I explictily fire this query in db. but by using hibernate's session.createQuery(-- my query --) if thwows an error QueryTranslatorException.
Database : Mysql 5.3
Have any one faced this issue?
Thanks in advance.
Try to run this in Hibernate as native SQL query:
session.createSQLQuery(-- query text --);
Because if you use
session.createQuery(-- query text --);
Hibernate will try to execute it as HQL query which differs from usual SQL query.
HQL is object oriented query language. It operates in terms of objects rather then in terms of tables. Here posted a brief description of difference between SQL and HQL. But if you have time better to read appropriate sections of hibernate's documentation about HQL and Native SQL usage.
If you want to execute SQL Query in hibernate, Use : session.createSQLQuery(String query);