public static int add_Book(String title, String auth_name, String publisher, String genre) {
Transaction tx = session.beginTransaction();
Query query = session.createQuery
("INSERT INTO Book(title,auth_name,publisher,genre)"
+ "SELECT "+title+", "+auth_name+", "+publisher+", "+genre);
tx.commit();
return query.executeUpdate();
and this error
Exception in thread "AWT-EventQueue-0"
java.lang.IllegalStateException: No data type for node:
org.hibernate.hql.internal.ast.tree.IdentNode +-[IDENT] IdentNode:
'q' {originalText=q}...
'q' is JTextField data
insert 'q' to 'title'
... Help would BE appreciated..
Just do it
public static void addBook(String title, String authName, String publisher, String genre) {
session.save(new Book(title, authName, publisher, genre));
}
Obviously, you should wrap that method with session/transaction control code.
And, please, always use Java Naming Convention!
auth_name, add_Book are incorrect names — use authName, addBook instead.
I think the answer of #v.ladynev is good but you can also try like this :
public static void addBook(String title, String authName, String publisher, String genre) {
Session session = HibernateUtil.getSessionFactory().openSession();
Transaction tx = null;
// create book Object
Book book = new Book();
book.setTitle(title);
book.setAuthName(authName);
book.setPublisher(publisher);
book.setGenre(genre);
try {
tx = session.beginTransaction();
// Save the book to database
session.save(book);
tx.commit();
}catch(Exception e){
if (tx!=null) {
tx.rollback();}
e.printStackTrace();
}finally{
// close your session
session.close();
}
}
Use at least the Bean class to code "cleanly". We use the query only in special cases, otherwise we must at most avoid it in the code or use at least bundle resources.
Anything else checks that in your Book bean class you havesetAuthName and not setAuth_Name.
Related
I am having a problem with setting a parameter in an SQL Query statement created from a JPA EntityManager.
I am working in an EJB and the EntityManager object for the session is valid.
import javax.persistence.EntityManager;
import javax.persistence.Query;
pubic void methodWorks(EntityManager em, String schema) {
String sqlStmt = "ALTER SESSION SET CURRENT_SCHEMA = " + schema;
try {
em.createNativeQuery(sqlStmt).executeUpdate();
}
catch(Exception ex) {
ex.printStackTrace();
}
}
pubic void methodFails1(EntityManager em, String schema) {
String sqlStmt = "ALTER SESSION SET CURRENT_SCHEMA = ?";
try {
em.createNativeQuery(sqlStmt).setParameter(1, schema).executeUpdate();
}
catch(Exception ex) {
ex.printStackTrace();
}
}
pubic void methodFails2(EntityManager em, String schema) {
String sqlStmt = "ALTER SESSION SET CURRENT_SCHEMA = ?1";
try {
em.createNativeQuery(sqlStmt).setParameter(1, schema).executeUpdate();
}
catch(Exception ex) {
ex.printStackTrace();
}
}
pubic void methodFails3(EntityManager em, String schema) {
String sqlStmt = "ALTER SESSION SET CURRENT_SCHEMA = :inputSchema";
try {
em.createNativeQuery(sqlStmt).setParameter("inputSchema", schema).executeUpdate();
}
catch(Exception ex) {
ex.printStackTrace();
}
}
The problem is that a Fortify Scan (which this must pass) identifies the sqlStmt in the methodWorks method as being vulnerable to an SQL Injection Attack (from Fortify). The failed methods all report
Internal Exception java.sql.SQLSyntaxErrorException: ORA:-02421 mission or invalid schema authorization identifier.
Error Code 2421
Call: ALTER SESSION SET CURRENT_SCHEMA = ?
bind => [1 parameter bound]
Merely sanitizing the input parameter "isn't good enough" to pass the Fortify and QA.
Setting it as a parameter (which hint-hint: CAN be easily fooled) will pass the Fortify scan and QA requirements.
This query is indeed open to SQL injection because you're using string concatenation.
The safe way to handle a query like this is to use parameters.
String sqlStmt = "ALTER SESSION SET CURRENT_SCHEMA = ?";
Query updateQuery = em.createNativeQuery(sqlStmt);
updateQuery.setParameter(0, schema);
updateQuery.executeUpdate();
Parameter values are automatically escaped for you. This saves you time as you don't need to worry about SQL injection any longer. This is solved in the Query/EntityManager class.
Also, it makes the query a lot easier to read.
I want to test how JDBC transactions work. Particularly, I want to see a read of uncommitted data. I've written one integration test in spring boot environment using a locally installed PostgreSQL database.
I'm trying to insert a row into a table, read it from one transaction, then update from another transaction without committing it, and read it again hoping it would change.
Table for the test (DDL):
create table users
(
id integer default nextval('user_id_sequence'::regclass) not null
constraint users_pkey
primary key,
first_name varchar(255) not null,
second_name varchar(255) not null,
email varchar(255)
);
alter table users
owner to postgres;
The test:
public void testHealthCheck() throws SQLException {
Connection zeroConnection = dataSource.getConnection();
Integer insertedUserId = insertUserSilently(zeroConnection, new User()
.setFirstName("John")
.setSecondName("Doe")
.setEmail("johndoe#gmail.com"));
zeroConnection.close();
Connection firstConnection = dataSource.getConnection();
firstConnection.setTransactionIsolation(Connection.TRANSACTION_READ_UNCOMMITTED);
firstConnection.setAutoCommit(false);
Connection secondConnection = dataSource.getConnection();
secondConnection.setTransactionIsolation(Connection.TRANSACTION_READ_UNCOMMITTED);
secondConnection.setAutoCommit(false);
List<User> users = getAllUsersSilently(firstConnection);
log.info("Got users: {}", silentToJsonString(users));
PersistenceUtils.updateUserEmailSilently(secondConnection, insertedUserId, "johndoe#yahoo.com");
users = getAllUsersSilently(firstConnection);
log.info("Got users: {}", silentToJsonString(users));
secondConnection.rollback();
secondConnection.close();
users = getAllUsersSilently(firstConnection);
log.info("Got users: {}", silentToJsonString(users));
firstConnection.close();
}
Utility class:
private static final String INSERT_USER_SQL = "insert into users(first_name, second_name, email) values (?, ?, ?)";
private static final String UPDATE_USER_SQL = "update users set email = ? where id = ?;";
private static final String SELECT_ALL_USERS_SQL = "select * from users";
public static List<User> extractUsersSilently(ResultSet resultSet) {
List<User> resultList = newArrayList();
try {
while (resultSet.next()) {
Integer id = resultSet.getInt(1);
String firstName = resultSet.getString(2);
String secondName = resultSet.getString(3);
String email = resultSet.getString(4);
resultList.add(new User(id, firstName, secondName, email));
}
} catch (SQLException e) {
log.error("Error while extracting result set", e);
return emptyList();
}
return resultList;
}
public static Integer insertUserSilently(Connection connection, User user) {
try {
PreparedStatement insertStatement = connection.prepareStatement(INSERT_USER_SQL, Statement.RETURN_GENERATED_KEYS);
insertStatement.setString(1, user.getFirstName());
insertStatement.setString(2, user.getSecondName());
insertStatement.setString(3, user.getEmail());
insertStatement.execute();
ResultSet resultSet = insertStatement.getGeneratedKeys();
resultSet.next();
return resultSet.getInt(1);
} catch (Exception exception) {
log.error(format("Exception while inserting user %s", user), exception);
return -1;
}
}
public static List<User> getAllUsersSilently(Connection connection) {
try {
PreparedStatement selectStatement = connection.prepareStatement(SELECT_ALL_USERS_SQL);
selectStatement.execute();
return extractUsersSilently(selectStatement.getResultSet());
} catch (Exception exception) {
log.error("Exception while getting all users", exception);
return Collections.emptyList();
}
}
public static void updateUserEmailSilently(Connection connection, Integer userId, String userEmail) {
try {
PreparedStatement updateStatement = connection.prepareStatement(UPDATE_USER_SQL);
updateStatement.setString(1, userEmail);
updateStatement.setInt(2, userId);
updateStatement.execute();
} catch (Exception exception) {
log.error(format("Exception while updating user %d", userId), exception);
}
}
}
Actual results are (you have to clear table manually before the test):
Got users:
[{"id":55,"firstName":"John","secondName":"Doe","email":"johndoe#gmail.com"}]
Got users:
[{"id":55,"firstName":"John","secondName":"Doe","email":"johndoe#gmail.com"}]
Got users:
[{"id":55,"firstName":"John","secondName":"Doe","email":"johndoe#gmail.com"}]
Although second read should've seen uncommitted change to email.
Cannot read uncommitted data in Postgres
See section 13.2. Transaction Isolation of the PostgreSQL documentation:
In PostgreSQL, you can request any of the four standard transaction isolation levels, but internally only three distinct isolation levels are implemented, i.e. PostgreSQL's Read Uncommitted mode behaves like Read Committed. This is because it is the only sensible way to map the standard isolation levels to PostgreSQL's multiversion concurrency control architecture.
This means that if you want to test TRANSACTION_READ_UNCOMMITTED, you need a DBMS other than PostgreSQL.
i've come across a problem in these days, which would be simple for other languages, like php, but the project I'm doing is in Spring MVC.
The question is: In Spring MVC, how can i delete an entity with two attributes ids coming from this entity?
Example: "Delete from Entity Where id1 =: id1 and id2 =: id2" (This is the query that i want)
Thanks for the attention.
What i was trying ...
public boolean remover(int idUsuario, int idCategoria) {
EntityManagerFactory factory = Persistence.createEntityManagerFactory(PERSISTENCE_UNIT);
EntityManager manager = factory.createEntityManager();
String hqlStr = "delete from UsuarioEscolheCategoria where idUsuario = :idUsuario and idCategoria = :idCategoria";
Query query = null;
try {
query = manager.createQuery(hqlStr);
query.setParameter("idUsuario", idUsuario);
query.setParameter("idCategoria", idCategoria);
query.executeUpdate();
manager.close();
factory.close();
return true;
}catch(Exception e) {
return false;
}
}
If i take the exception, it gives me:
String hqlStr = "delete from UsuarioEscolheCategoria where usuario.idUsuario = :idUsuario and categoria.idCategoria = :idCategoria";
The important part is usuario.idUsuario and categoria.idCategoria. That way you're making a reference to the attribute type Usuario, which is on your model class.
you prblem is the session factory, check how you have created it, here a simple usefull example:
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.springframework.beans.factory.annotation.Autowired;
#Autowired
private SessionFactory sessionFactory;
protected Session getSession() {
return sessionFactory.getCurrentSession();
}
public void deleteById(Integer id) {
Query query = getSession().createSQLQuery("delete from TABLE where id = :t_id");
query.setInteger("t_id", id);
query.executeUpdate();
}
I call this method to convert hql query to sql:
public String toSql(String hqlQueryText) {
if (hqlQueryText != null && hqlQueryText.trim().length() > 0) {
QueryTranslatorFactory translatorFactory = new ASTQueryTranslatorFactory();
SessionFactoryImplementor factory = (SessionFactoryImplementor) sessionFactory;
QueryTranslator translator = translatorFactory.createQueryTranslator(hqlQueryText, hqlQueryText, Collections.EMPTY_MAP, factory, null);
translator.compile(Collections.EMPTY_MAP, false);
return translator.getSQLString();
}
return null;
}
and I have this filter in .hbm.xml file of domain class:
<filter name="userAuthorize" condition="some sql query here" />
but I don't know how I should tell hibernate to apply this filter when converting from hql to sql.
Assume that I call above method like this:
public Session getSession() {
try {
return sessionFactory.getCurrentSession();
}
catch (Exception e) {
}
return sessionFactory.openSession();
}
public List<DomainClass> getAll() {
String hql = " some hql query ";
Session session = getSession();
String sql = toSql(hql);
return session.createSQLQuery(sql).list();
}
Not a great Idea. But maybe It helps.
HQL and SQL have some differences, for instance with join , 'on' is used in SQL and 'with' is used in HQL.
So maybe you can use list of words that are unique to HQL and check for them in your String using
hql.contains("with") or hql.indexOf("with").
It is not the responsibility of the QueryTranslator to apply filters. Also, filters don't get applied to native SQL.
It looks like you just want to execute the HQL query? There is no need to have it translated to SQL first:
public List<DomainClass> getAll() {
String hql = " some hql query ";
return session.createQuery(hql).list();
}
Trying to understand more about Hibernate,I wrote some code which creates some entities and saves them in db and then tries to delete one of the entities.
The mapping file for entity Customer has id generator set to native.I am using postgresql as db.
...
<class name="Customer" table="CUSTOMER">
<id column="CUSTOMER_ID" name="customer_id" type="java.lang.Long">
<generator class="native"/>
</id>
...
I came across hibernate.NonUniqueObjectException.
org.hibernate.NonUniqueObjectException: a different object with the same identifier value was already associated with the session: [org.me.hibernatestore.Customer#129]
Full stack trace here
I fired up the eclipse debugger and found that the object involved has same address in all the involved methods ..
The relevant part of the code is
public class Main {
CustomerDao custdao;
Customer mark;
public void storeDemo(){
custdao = DaoFactory.getCustomerDao();
createCustomers();
updateEntities();
deleteCustomer(mark);
}
private void createCustomers() {
mark = new Customer();
mark.setName("mark");
mark.setEmailAddress("mark#home");
mark.setAddress("121,3rd avenue");
mark.setCity("San Diego");
mark.setState("CA");
mark.setCountry("U.S.A");
}
private void updateEntities() {
Transaction tx = null;
Session session = HibernateUtil.getCurrentSession();
try{
tx = session.beginTransaction();
custdao.saveOrUpdateCustomer(mark);
tx.commit();
}catch(RuntimeException e){
tx.rollback();
throw e;
}
}
private void deleteCustomer(Customer cust){
Transaction tx = null;
Session session = HibernateUtil.getCurrentSession();
try{
tx = session.beginTransaction();
String custName = cust.getName();
custdao.deleteCustomer(cust);
tx.commit();
}catch(RuntimeException e){
tx.rollback();
throw e;
}
}
public static void main(String[] args) {
new Main().storeDemo();
}
}
With the help of debugger I found the address of object 'mark'
Main.createCustomers(): mark-> Customer#2bc3f5
CustomerDaoImpl.saveOrUpdateCustomer(Customer customer):customer-> Customer#2bc3f5
BaseDaoImpl.saveOrUpdate(T obj):obj-> Customer#2bc3f5
Main.deleteCustomer(Customer customer):customer-> Customer#2bc3f5
CustomerDaoImpl.deleteCustomer(Customer customer):customer-> Customer#2bc3f5
BaseDaoImpl.delete(T obj):obj-> Customer#2bc3f5
Experimenting further,I modified the code and through dao.findById() got a different object with same id and used that in deleteCustomer().This time the code worked without throwing any exception
public class Main {
CustomerDao custdao;
Customer mark;
public void storeDemo(){
custdao = DaoFactory.getCustomerDao();
createCustomers();
updateEntities();
Long mark_id = mark.getCustomer_id();
Customer mark2 = getCustomer(mark_id);
deleteCustomer(mark2);
}
private Customer getCustomer(Long id){
Transaction tx = null;
Customer cust = null;
Session session = HibernateUtil.getCurrentSession();
try{
tx = session.beginTransaction();
return custdao.findCustomerById(id);
}catch(RuntimeException e){
throw e;
}
}
...
}
Can someone explain this behaviour?My understanding about the 'a different object with the same identifier value' part of the error message is fuzzy ..The object as shown in debugger in the first case has same memory address everywhere in the code.Then how can it be a different object?
sincerely
Jim
This exception usually occurs when dealing with detached objects. In order to avoid that, you have to get the object and delete it in the same session or reattach it to the session and then delete it.
Hope this helps!