I would like to supply collection/arrays in the "IN" parameter but I got
When I used array:
org.jooq.exception.SQLDialectNotSupportedException: Cannot bind ARRAY types in dialect MYSQL
When I used list:
org.jooq.exception.SQLDialectNotSupportedException: Type class java.util.Arrays$ArrayList is not supported in dialect DEFAULT
Here is my plain sql:
String sql = "SELECT SUM(foo.reply = 'Y') yes " +
"FROM foo " +
"LEFT OUTER JOIN bar " +
"ON foo.id = bar.foo_id " +
"WHERE " +
"foo.id = ? " +
"AND foo.some_id IN (?) "; //this is the part I would like to use array or list
Here's how I execute it
dslContext.fetch(sql, val(fooId), val(someIds))
.into(Summary.class);
You can't do that with single bind variables (except in PostgreSQL with arrays). But you can use nested plain SQL query parts in jOOQ as such:
String sql = "SELECT SUM(foo.reply = 'Y') yes " +
"FROM foo " +
"LEFT OUTER JOIN bar " +
"ON foo.id = bar.foo_id " +
"WHERE " +
"foo.id = {0} " +
"AND foo.some_id IN ({1}) "; // Use the {0}, {1} placeholders
And then
dslContext.fetch(sql,
val(fooId),
DSL.list(someIds.stream().map(DSL::val).collect(toList())))
.into(Summary.class);
See also DSL.list(QueryPart...)
Related
Unable to pass named parameters in #NamedNativeQuery in spring data jpa
my repo:
#Query(value = "select stat.desc as desc," +
" stat.priority as priority," +
" (case when sum(activeUser) is null then 0 else sum(activeUser) end) as activeUser," +
" (case when sum(totalUser) is null then 0 else sum(totalUser) end) as totalUser" +
" from lookup.user stat left outer join" +
" (" +
" select user.role as role, " +
" sum (case when user.STATUS = 'ACTIVE' then 1 else 0 end) as activeUser," +
" count(*) as totalUser," +
" user.group as group" +
" from Ctrl.user user" +
" where user.group =:userGroup " +
" and user.branch_code =:branchCode " +
" group by user.role,user.group" +
" ) as tbl on stat.role = tbl.role and stat.group = tbl.group" +
" where stat.group =:userGroup " +
" group by stat.desc, stat.priority" +
"", nativeQuery = true)
public List<com.cimb.dto.UserStatusSummary> getSummaryReport(#Param(value = "userGroup") String userGroup, #Param(value = "branchCode") String branchCode);
The underlying database is DB2
When I tried to access that method I am hitting following error.
DB2 SQL Error: SQLCODE=-302, SQLSTATE=22001, SQLERRMC=null, DRIVER=4.25.13
if I hard code those named parameters with values then it's working.
I can not use jpql as real queries have some subqueries in it, so I cant use JPQL
Edit Update
After some digging, I have found out that, the parameters I am passing are in the subquery, since JPA don't have subquery concept it's not injecting into named parameters which resulting in a syntax error.
Now how to work with Subqueries in JPA
Please help.
If i insert a quote symbol " in the codContract parameter I receive the following error.
Error querying database. Cause: java.sql.SQLSyntaxErrorException:
ORA-00972: identifier too long
The error may exist in mappers/existence.xml The error may involve
com.iv.queryinterface.AssistenzaMapper.getTitlesFromCodContratct-Inline
The error occurred while setting parameters
SQL:
SELECT t.id_title,
c.des_lastname,
c.des_firstname,
to_char(t.dta_raw, 'DD/MM/YYYY') AS DTA_RAW,
DECODE(t.cod_statustitle, '1', 'Raw', '2', 'Stated') AS STATUS_TITLE
FROM Ivf_Policy p,
Ivf_Title t,
Ivg_Client c,
Ivf_Price pr
WHERE Cod_Contract = TEST
AND p.id_policy = t.id_policy
AND t.cod_type_title IN(2, 3, 13)
AND t.cod_statustitle IN(1, 2)
AND t.cod_client = c.cod_client
AND t.id_price = pr.id_price;
Cause: java.sql.SQLSyntaxErrorException: ORA-00972: identifier too
long
In this example, i set " TEST as value for the codContract parameter. My questions are:
Is this an exploitable SQL injection or a false positive that just prints an sql error into the stack trace?
The code is susceptible to SQL injection, and does no escaping. All that is avoidable by the use of PreparedStatement. Where the query string is not composed dynamically.
Now "TEST is the first part of an SQL identifier till a closing double quote.
I do not want to instruct readers on hacking, but think what something like
"'' OR 1=1 "
+ "UNION SELECT u.login, u.password, '', '', '', '' "
+ "FROM users"
+ "\u0000-- ";
might reveal on data.
Use java.sql.PreparedStatement for avoiding SQL injection.
String query =
"SELECT " +
" t.id_title , " +
" c.des_lastname , " +
" c.des_firstname , " +
" TO_CHAR(t.dta_raw, 'DD/MM/YYYY') AS DTA_RAW, " +
" DECODE(t.cod_statustitle, '1', 'Raw', '2', 'Stated') AS STATUS_TITLE " +
"FROM " +
" Ivf_Policy p, " +
" Ivf_Title t, " +
" Ivg_Client c, " +
" Ivf_Price pr " +
"WHERE " +
"1 = 1 AND " +
" Cod_Contract = ? " +
"AND p.id_policy = t.id_policy " +
"AND t.cod_type_title IN(2, " +
" 3, " +
" 13) " +
"AND t.cod_statustitle IN(1, " +
" 2) " +
"AND t.cod_client = c.cod_client " +
"AND t.id_price = pr.id_price;";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setString(1, 'TEST');
ResultSet rs = stmt.executeQuery();
To avoid SQL injection, do not append parameter values directly to SQL queries.
Use bind variables instead.
Thanks.
For an application,I am checking if a table is filled so that I can retrieve that from it; otherwise I will retrive from another table. For that, I use a select and checks if it has null values by wasnull(). If it does, I execute a query; otherwise, I execute a differet query. The problem that I have is when it is null, it does not execute the query but returns null values !
Can you please show me what I am doing wrong or a better solution ?
Here is my code:
String reqEx = "SELECT PYE_DATEDEBUT,PYE_DATEFIN FROM PGEXCEPTPRESENCE WHERE PYE_SALARIE='"+chaine+"' ";
ResultSet rs = stmt.executeQuery(reqEx);
if (rs.wasNull()) {
req = " select jour.PJO_HORDEBPLAGE1,jour.PJO_HORFINPLAGE1,jour.PJO_HORDEBPLAGE2,jour.PJO_HORFINPLAGE2"
+ " from profilpressalarie propressal join profilpresence propres on propressal.ppz_profilpres = propres.ppq_profilpres "
+ "join modelecycle modcyc on propres.PPQ_CYCLEAFFECT = modcyc.PMO_MODELECYCLE join JOURNEETYPE jour " +
" on modcyc.PMO_JOURNEETYPE= jour.PJO_JOURNEETYPE where modcyc.PMO_ORDREJOUR='"+orderJ+"' " +
" and propressal.PPZ_salarie= '"+chaine+"'";
}
else{
while(rs.next()){
req = " select jour.PJO_HORDEBPLAGE1,jour.PJO_HORFINPLAGE1,jour.PJO_HORDEBPLAGE2,jour.PJO_HORFINPLAGE2"
+ " from PGEXCEPTPRESENCE exc join profilpresence propres on exc.PYE_CYCLEAFFECT = propres.ppq_profilpres join modelecycle modcyc " +
"on propres.PPQ_CYCLEAFFECT = modcyc.PMO_MODELECYCLE join JOURNEETYPE jour " +
"on modcyc.PMO_JOURNEETYPE= jour.PJO_JOURNEETYPE where modcyc.PMO_ORDREJOUR='"+orderJ+"' " +
"and exc.PYE_SALARIE= '"+chaine+"' ";
}}
rs.wasNull() is meant to be used for verifying the last read column is NULL or not. If your table's first column is a primitive data type like int it will not return NULL. So in this case you need to verify if the query returns any row or not. For this please use the following if condition:
if (!rs.next()) {
req = " select jour.PJO_HORDEBPLAGE1,jour.PJO_HORFINPLAGE1,jour.PJO_HORDEBPLAGE2,jour.PJO_HORFINPLAGE2"
+ " from profilpressalarie propressal join profilpresence propres on propressal.ppz_profilpres = propres.ppq_profilpres "
+ "join modelecycle modcyc on propres.PPQ_CYCLEAFFECT = modcyc.PMO_MODELECYCLE join JOURNEETYPE jour " +
" on modcyc.PMO_JOURNEETYPE= jour.PJO_JOURNEETYPE where modcyc.PMO_ORDREJOUR='"+orderJ+"' " +
" and propressal.PPZ_salarie= '"+chaine+"'";
}
I have the following SQL query in my j2ee web app that I am unable to get to work, as-is. The named parameters sourceSystem and sourceClientId do not appear to get passed to the query, and therefore it does not return any records. I added a watch to the Query object querySingleView and it maintained a value of null as the debugger ran through the code. I also inserted a System.out.println statement just under the method declaration and confirmed that the correct values sourceSystem and sourceClientId are being passed to the method signature. I am using NetBeans 8.0, JPA 2.1, running on a JBoss EAP 6.21 server. I have multiple Entities mapped to several tables in an Oracle database.
Here is the query (I should note that the items in the query follow a schema.table.column format - not sure if that is part of the problem, but it does work in one test, see my comment and sample below the main query below):
public List<String> searchSingleView (String sourceSystem, String sourceClientId) {
//Change the underscore character in the source system value to a dash, and make it uppercase. This is what single view accepts
if (!sourceSystem.equals("")) {
sourceSystemSingleView = sourceSystem.replace('_', '-').toUpperCase();
}
String sqlSingleViewQuery = "SELECT DISTINCT " +
"MDMCUST_ORS.C_BO_CONTRACT.LAST_ROWID_SYSTEM AS POLICY_SYSTEM, " +
"MDMCUST_ORS.C_BO_CONTRACT.SRC_POLICY_ID AS POLICY_ID, " +
"MDMCUST_ORS.C_BO_CONTRACT.ISSUE_DT, " +
"MDMCUST_ORS.C_BO_PARTY_XREF.SRC_CLIENT_ID AS SRC_CLIENT_ID, " +
"MDMCUST_ORS.C_BO_PARTY_XREF.PERS_FULL_NAME_TXT, " +
"MDMCUST_ORS.C_BO_PARTY_XREF.ORG_LEGAL_NAME_TXT, " +
"MDMCUST_ORS.C_BO_PARTY_XREF.ORG_LEGAL_SFX_TXT, " +
"MDMCUST_ORS.C_BO_PARTY_XREF.ORG_NAME_TXT, " +
"MDMCUST_ORS.C_BO_PARTY_XREF.SIN_BIN_TEXT, " +
"MDMCUST_ORS.C_BO_PARTY_XREF.PERS_BIRTH_DT, " +
"MDMCUST_ORS.C_LU_CODES.CODE_DESCR_EN AS ADDRESS_PURPOSE_CD, " +
"MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.COMPLETE_ADDRESS_TXT, " +
"MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.CITY_NAME, " +
"MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.COUNTRY_NAME, " +
"MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.POSTAL_CD, " +
"MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.STATE_PROVINCE_NAME " +
"FROM MDMCUST_ORS.C_BO_PARTY_XREF " +
"LEFT JOIN MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR ON MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.PARTY_ROWID = MDMCUST_ORS.C_BO_PARTY_XREF.ROWID_OBJECT " +
"LEFT JOIN MDMCUST_ORS.C_LU_CODES ON MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.POSTAL_ADDR_PURPOSE_CD = MDMCUST_ORS.C_LU_CODES.CODE " +
"LEFT JOIN MDMCUST_ORS.C_BO_PARTY_REL ON MDMCUST_ORS.C_BO_PARTY_XREF.ROWID_OBJECT = MDMCUST_ORS.C_BO_PARTY_REL.FROM_PARTY_ROWID " +
"LEFT JOIN MDMCUST_ORS.C_BO_CONTRACT ON MDMCUST_ORS.C_BO_PARTY_REL.CONTRACT_ROWID = MDMCUST_ORS.C_BO_CONTRACT.ROWID_OBJECT " +
"WHERE MDMCUST_ORS.C_BO_CONTRACT.LAST_ROWID_SYSTEM = :sourceSystemSingleView " +
"AND MDMCUST_ORS.C_BO_PARTY_XREF.SRC_CLIENT_ID = :sourceClientId " +
"AND MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.POSTAL_ADDR_PURPOSE_CD = '56|07' " +
"AND MDMCUST_ORS.C_BO_PARTY_POSTAL_ADDR.LAST_ROWID_SYSTEM = MDMCUST_ORS.C_BO_CONTRACT.LAST_ROWID_SYSTEM " +
"ORDER BY MDMCUST_ORS.C_BO_CONTRACT.LAST_ROWID_SYSTEM";
querySingleView = emSingleView.createQuery(sqlSingleViewQuery);
querySingleView.setParameter("sourceSystemSingleView", sourceSystemSingleView);
querySingleView.setParameter("sourceClientId", sourceClientId);
querySingleViewResult = (List<String>) querySingleView.getResultList();
return querySingleViewResult;
}
}
However, if I put literal values in the SQL query in place of the positional parameters it works fine (without using the setParameter method).
WHERE MDMCUST_ORS.C_BO_CONTRACT.LAST_ROWID_SYSTEM = 'ADMIN' " +
"AND MDMCUST_ORS.C_BO_PARTY_XREF.SRC_CLIENT_ID = '0000001234' " +
I have looked online but haven't as yet found anything that seems to address this specific question. Any help would be greatly appreciated. Thank you!
i want to select rows from a table in JPA, my query paramter could be null.
So if it is null i want to consider all values for that attribute in that table.
Here is my code :
#Query("SELECT art FROM ArtWork art INNER JOIN art.subjects subject "
+ "INNER JOIN art.styles style "
+ "INNER JOIN art.collections collection "
+ "INNER JOIN art.priceBuckets priceBucket "
+ " WHERE ((subject.title) in (:subjectList) "
+ "AND (style.title) in (:styleList)"
+ "AND (collection.title) in (:collectionList)"
+ "AND (priceBucket.title) in (:priceBucketRangeList)"
+ "AND (art.medium is NULL OR art.medium = :medium)"
+ "AND (art.orientation) LIKE:orientation)"
+ ")")
In the code if :medium is null then i want it search on all mediums in the table
Thanks