I am using below jpa code. How can we prevent below code from sql injections?
List<Document> docs= em.createQuery("SELECT c FROM Document c WHERE c.docId = :docId ", Document.class)
.setParameter("docId", docId).getResultList();
http://www.adam-bien.com/roller/abien/entry/preventing_injection_in_jpa_query
It already is protected against SQL injection. Your code is using parameters.
Also if you want, you can use Criteria APIs to build the same query.
Related
I currently have the query stated below. I know this works as a SQL query, but because I am using the EntityManager, from javax.persistence, it requires JPQL. And I don't know JPQL. If there is a way to rewrite this in JPQL that would be nice.
Query q = entityManager.createNativeQuery("
WITH original AS (SELECT *, COUNT(ref) as c FROM Tri WHERE triH IN :list GROUP BY ref
SELECT ref FROM original WHERE c = :amtTri");
q.setParameter("list", posTri);
q.setParameter("amtTri", posTri.size());
Actual query:
WITH original AS (SELECT *, COUNT(ref) as c FROM Tri WHERE triH IN :list GROUP BY ref
SELECT ref FROM original WHERE c = :amtTri
I am trying to do this in a Quarkus project using the Repository method, if there is a way to use that, that would also be fine
Thanks in advance!
I believe that using the EntityManager don't obligates you to use JPQL, you can also use Native Queries.
As your query looks not so simple (for me at least), I would do it using Native Queries and not JPQL. You can run Native Queries using the EntityManager from javax.persistence. This tutorial explains how you can do this.
I want to get all the values from a particular column in JPA and store all values into a list. currently, I am using the below approach but I am getting records in something else format.can someone please help me out
Query q1 = factory.createNativeQuery("select * from booking_attendee where booking_id="+id);
List<String> em1=q1.getResultList();
return em1;
query otput
em=[[Ljava.lang.Object;#68606667, [Ljava.lang.Object;#2cd7f99a, [Ljava.lang.Object;#137a5a5, [Ljava.lang.Object;#a45cc1c, [Ljava.lang.Object;#61fdc06d, [Ljava.lang.Object;#72f5eee1, [Ljava.lang.Object;#4e536797]
If you want to create a native query for this, it is more about how to solve this in SQL. You do not say SELECT * which means all columns. You would have to say SELECT your_column_name to select only a specific column.
Query q1 = factory.createNativeQuery("SELECT your_column FROM booking_attendee");
List<String> em1 = q1.getResultList();
The WHERE clause could and should be defined with the parameter binding of JPA. There are several advantages concerning performance and SQL injection.
Named parameter binding is special to the persistence provider (e.g. Hibernate). The common way for JPA is using ? to let your code be portable to other providers.
Query q1 = factory.createNativeQuery("SELECT your_column FROM booking_attendee b WHERE b.booking_id = ?");
q1.setParameter(1, id);
List<String> em1 = q1.getResultList();
Native queries offer the possibilities to use original SQL. Like this, some features which are specific for your database could be used with this. Nevertheless, if you do not have very specific SQL code, you should also have a look in JPQL, the specific query language of JPA, and the JPA Criteria API which offers advantages when you want to refactor your code, shows errors during compile time and makes the dynamic creation of queries easier.
I have a spring application that should connect to an existing database and just query an entity for existence based on some attributes.
I don't want to create a #Entity class for this. But I still want to use the spring managed EntityManager etc.
When using Spring, what is the best approach to just query a select for that entity? Using em.createNamedQuery(QUERY); with String QUERY = "SELECT count(*) from my_table where username =: username AND email := email)";?
Answers from #predrag-maric and #pL4Gu33 are both correct but if you use JPA in your project (for example, Hibernate) you might consider using #NamedNativeQuery annotation as well.
More about named native queries.
simple example of native query
#PersistenceContext
EntityManager em;
public String test(Integer id)
{
Query query = em.createNativeQuery("SELECT name FROM Accounts where id=?");
query.setParameter(1,id);
return query.getSingleResult();
}
You can use this method from entitymanager. http://docs.oracle.com/javaee/6/api/javax/persistence/EntityManager.html#createNativeQuery%28java.lang.String%29
Use em.createNativeQuery(QUERY). Also, you'll have to use positional parameters (?1) instead of named parameters (:email), because only positional parameters are supported by JPA in native queries.
I'm working with JPA. How could my application be SQL injection safe if I'm using a native sql query (not entity query)? I need to build the native sql query with the data submitted by a user from a html form.
If I use parameters in the native sql I can avoid SQL injection attacks, but my problem is that I can't be sure how many data fields are being submitted by the user.
You should use positional parameters binding:
String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");
Please note that you should not use named parameters binding (:empName) in your query as JPA Spec says
Only positional parameter binding may be portably used for native queries.
This should secure you from SQL Injection attacks.
How can I write a JPA query using MONTH function just like sql query?
#NamedQuery(name="querybymonth", query="select t from table1 t where MONTH(c_Date) = 5")
When I use the above pattern for query, I get an error: unexpected token - MONTH.
If you are using EclipseLink (2.1) you can use the FUNC() function to call any database function that is not defined in the JPA JPQL spec.
i.e.
FUNC('MONTH', c_Date)
In JPA 2.1 (EclipseLink 2.5) the FUNCTION syntax becomes part of the specification (and replaces the EclipseLink-specific FUNC).
If you are using TopLink Essentials, you cannot do this in JPQL, but you can define a TopLink Expression query for it (similar to JPA 2.0 criteria), or use native SQL.
Also if you are using any JPA 2.0 provider and using a Criteria query there is a function() API that can be used to define this.
I want to query YEAR(itemDate) but the function doesn't exit, then i saw the SUBSTRING() function so what i did was
Select q from table where SUBSTRING(itemDate, 1, 4)='2011'
and it works for me! hope it helps!
if you need you a dynamic variable, you can do that too. here :poDate is the year which is deifned in the setParameter();
#NamedQuery(name = "PurchaseOrders.findByYear", query = "SELECT p FROM PurchaseOrders p WHERE SUBSTRING(p.poDate, 1, 4) = :poDate")
Query q = em.createNamedQuery("PurchaseOrders.findByYear");
q.setParameter("poDate", s_year+"");
but if your okay with your solutions, that'll be fine. i just find JPA faster to execute.
The MONTH() function exists in Hibernate HQL but is not a standard JPA function. Maybe your JPA provider has some proprietary equivalent but you didn't mention it. If it doesn't, fall back on native SQL.
I am using Toplink Essentials for the same. Please help, if any function exists in Toplink. Thanks.
To my knowledge, TopLink doesn't have a direct equivalent. So either use a native SQL query or maybe a TopLink Expression query (not sure about this, and not sure this is available in TopLink Essentials).
Following worked for me with hibernate (4.3.9.Final) & JPA 2.1.
#NamedQuery(name = "PartyEntity.findByAID", query = "select distinct psc.party from PartyShortCode psc where (psc.shortCode = :aidNumber or FUNCTION('REPLACE',psc.accountReference,' ','') = :aidNumber) and psc.sourceSystem in :sourceSystem")
if your class holds a date type variable, you can use a query like this:
#Query("select m from Movement m where m.id_movement_type.id=1 and SubString(cast(m.date as text),1,4) = :year")
List<Movement> buysForYear(#Param("year") String year);