I am looking for SQL query parser for MySQL queries. Using which I can parse the query, modify the query object and print back modified query
JSQL Parser was exactly what I needed but It has 2 main issues while escaping single quote inside column values
https://github.com/JSQLParser/JSqlParser/issues/167
https://github.com/JSQLParser/JSqlParser/issues/166
So I am looking for open source alternative which can help me with the task
Presto-parser I tried was not able to parse Update queries
If anyone else is aware of any other reliable SQL Parsing library please let me know
Regarding JSqlParser:
Issue 166 already fixed.
The escaping of single quotes is not supported, but using double single quotes is. Therefore someone could replace all \' using '' before parsing.
EDIT: Issue 167 fixed within actual Snapshot 0.9.5 of JSqlParser.
One year ago i search for the same thing but finally i use another approach. Those were the projects that i found to parse sql.
ANTLR. Is commonly used generic parser. It's a kind of parser generator. From a set of rules it writes the java code. There are rules for a lot of thins like spanish, java or sql.
JParsec. Seems similar to the previous one. Seems that already exists SQL rules, but does not seem easy to use.
ZQL. Uses JavaCC to auto-generate Java code that parses the SQL. I test this one but i can not get it working as i want. And i think that the project is discontinued.
sql-parser. It looks nice, but when i tested it i can not get it working. The link seems to not work, but i think that this is a fork of the original project.
jOOQ is a great library for those that don't need or like an ORM and also has a parser.
Related
I have a database change template to used by the team, it was accepted but the only thing needed is:
1- Can we have syntax formatting for SQL within the same form?
2- How can we get only the DDL part out of this to generate a simple text field/file?
Note: This template will be used once per a month and it will have all the database changes, I'm looking for a way to make the syntax to be formatted like the SQL format, and is there a way where I could extract or Export only the queries to one text file even programmatically by using java or any similar programming language.
Please advice and thank you.
Based on the comments I understand that you want to capture a cell value by using Values.get(). You can easily do that by following a quickstart tutorial (available on Java and Node.js as requested). That will help you to set up a working environment with Sheets API. After completing it, you only have to update the code to include Values.get(). Please ask me any additional doubt if required.
I am completely new to Programming language translation and don't know how to start. I want to convert stored procedures written in PL/SQL to Java, to make our application database independent.
There are about 50 stored procedures, each having about 10000-15000 lines of code. I am looking for a way to automate this.
I have got a reference of ANTLR parser, and have found some parsers on GitHub, but have no clue, how to go about it.
First of all you must know some theory, and also you have to learn something about ANTLR. The ANTLR parser will give you "only" AST (Abstract syntax tree), which is just a small 1st step. The rest is up to you. There is an article called "Life after parsing" describing the problems with automatic translation. If you do not have an experience with this, you probably should not start this way.
You can use ANTRL for:
generation of PL/SQL code call-tree. To get some overview of code's business logic.
extract SQL statements from PL/SQL code
extract table names from SQLs
This can give you some overview which "module" accesses particular tables.
You can also serialize the AST tree into some "fake" java code, where original PL/SQL will be stored as comments. But the rest it up to you. PL/SQL programming style is different from Java one.
PS: You will also find that some of Oracle's proprietary SQLs can not be easily translated into ISO SQL92, and some databases do not even support ISO SQL92 (or higher). So as I wrote before most of the work must be done manually. So maybe rewriting it from scratch is not so bad idea.
I write a database mid-ware for mysql. I need to determine a sql statement isRead statement or isWrite statement and extract the schema and tables information. Some parser I found through google only parse the DML statement. But I need a parser can parse all statement what mysql server can do.
Do you think that is a good idea I call the mysql parser directly in java or is that possible?
Do you think that is a good idea I call the mysql parser directly in java or is that possible?
No I don't think it is a good idea. Calling C / C++ code from Java is rarely a good idea. And in this case, the parser is embedded in a whole bunch of other code, and it is likely to be able separate it out. On top of that, it will emit the parse tree as complicated native data structures that will be difficult to use from Java.
A better approach would be to take an existing open source Java parser for SQL, and (over time) add support for parsing MySQL-specific statements.
You may want to consider using code from Alibaba's Druid project. Although designed as a sophisticated connection pooling library, this project supports a very advanced parser and AST for ANSI SQL and non-ANSI dialects such as MySQL, Oracle, SQL Server, etc. The project is open source and bears the very liberal Apache License Version 2.0.
The main entry points into this part of the library is SQLUtils.java.
I writing a dynamic HTML parsers functionality.
I will want to modify existing parsers and also would want to add more parsers (I expect parsers will be modified as sites a remodified and new parsers will be needed for new sites).
I started writing a generic functionality which use a XML with conditions and rules for each site but as this works fine for now, I'm pretty sure it will need constant modifications...
The parsers will parse and write the data to a DB.
My application runs on JBOSS 4.
Any known best practice for that?
Thanks,
Rod
Thanks for your answer. Maybe I was unclear. I realized that imm. from the rate my question got. What I am writing feature that manage parsers execution. Each parser will parse a different text document structure. Documents structure might change from time to time and more new structured document will be added to be parsed. I dont want to recompile build deploy my application for each arser change.
I want to manage the execution of each parser as theymight be executed in parralel or according to execution rules.
Does Using Java ScriptingEngine might be a good option?
There are lots of ways to have some code that can be modified without redeploying. Using groovy scripts to do the parsing is one. Is is a rather simple matter to check to see if the script has been modified and automatically reload it.
The design sounds convoluted to me, but IFF you prove to yourself there's not a much simpler way to accomplish the same task, you may want a rules engine like Drools...
Anyone know a good lib where i can run the strings before they are inserted, that can strip out sql/javascript code? To be run in jsp pages.
Idealy the lib would be:
Free
Lightweight
Easy to use
Thanks in advance to the SO community who will happily reply :)
Apache Commons lang StringEscapeUtils will get you some of the way. It escapes, doesnt strip.
http://commons.apache.org/lang/api/org/apache/commons/lang/StringEscapeUtils.html
Edit: Escaping can save you from injection attacks because it makes sure that the data the user has entered is not executed as code, but always presented as data to the user.
You need to rely on the your database api's mechanism for using parameterized queries. If you're first building an sql string dynamically and then want to sanitize the completed query string, you're doing it wrong. That's just asking for trouble.
Edit: after re-reading your question, it seems I mis-understood what you were asking. I stand by my initial comments as accurate for the sql injection part of your question. For that, you definitely want real query parameters.
As for filtering out javascript, I don't think there's a real standard way to do it yet. I know Jeff posted the code they use here at SO, but I don't have the link handy. If I can find it I'll post it.
Take a look at AntiSamy on OWASP. I think this might be what you are looking for. I do not currently work in Java so I cannot tell you about how it performs.
The what you're saying is that for every possible entry being added to the string I have to remove first the "malicious" data. Yeah it makes sense as I wouldn't be able to tell which was added as an input and what would be part of the query itself.
Ok ty i guess i need to restart changing some code :) still the question for the api still stands :)
The c:out tag by default escapes XML. This can be handy for storing user input, as the bound value will still be the user's input but the source generated by the browser will use escaped entries.
To prevent SQL injection utilize PreparedStatement objects. If you are using some persistence layer, ensure that it is utilizing PreparedStatement objects. With regard to malicious HTML and JavaScript, use . This escapes XML characters by default. You can also use the JSTL function escapeXml found in the fn tld.
Just rephrasing the suggestions given by others here:
The OP wants to prevent SQL and JavaScript injection attacks.
SQL Injection attacks can be prevented by ensuring that parameterized queries/bind variables are utilized to provide user input to the database. In the Java world, the use of PMD (and a PMD rule) and Findbugs (the rules are built into Findbugs by default) will help you determine locations in your code base that are susceptible to SQL injection attacks. OWASP has a good article on preventing SQL injection in Java.
As far as script injection is concerned, the safest way to prevent attacker-injected scripts from being executed is to ensure that user input, when it is used as output, is to be displayed using an encoded format - for web apps, this would be HTML encoding. This OWASP page shows you how to perform HTML encoding in Java.
If you want to protect your application from javascript injection, than you need to instrument or hook method which takes your javascript as argument, In case of mongodb, eval() method can execute javascript at mongo server.
You can follow below link to mitigate ssjs attack.
https://www.sciencedirect.com/science/article/pii/S1568494619305022