I want to create multi parameter search using JDBC prepared statement so as to prevent SQL injection attack and improve performance. As I couldn't find the best way to do it on the net.
I've tried to implement on my own as follow.
In this program I want to allow the user to search an employee by either first name, last name or department id.
I want to know
if my implementation would prevent SQL injection
If I am using prepared statement correctly? I have some doubt on this line
PreparedStatement stat = conn.prepareStatement(sql.toString());
Let's say two users search by using the same parameters, and thus it would result the same
sql string. According to my implementation, would the database have to prepare that sql twice or just once?
public class EmpDAO {
public static List<Employee> findByCriteria(Employee e)
throws SQLException, IOException {
try (Connection conn = getConnection()) {
StringBuilder sql = new StringBuilder("SELECT * FROM Employee ");
//collect user supplied parameters
Map<String, String> params = new HashMap<String, String>();
if (e.getFname() != null && e.getFname().length() != 0) {
params.put(EmpDAO.FNAME, e.getFname());
}
if (e.getLname() != null && e.getLname().length() != 0) {
params.put(EmpDAO.LNAME, e.getLname());
}
if (e.getDepid() > 0) {
params.put(EmpDAO.DEPT_ID, new Integer(e.getDepid()).toString());
}
//construct prepared statement based on the parameters
Set<String> colSet = params.keySet();
if (colSet != null && !colSet.isEmpty()) {
StringBuilder whereClause = new StringBuilder(" WHERE");
String andOp = "";
for (String colName : colSet) {
whereClause.append(andOp);
whereClause.append(" ");
whereClause.append(colName);
whereClause.append("=? ");
andOp = " AND ";
}
sql.append(whereClause);
}
PreparedStatement stat = conn.prepareStatement(sql.toString());
int paramPos = 1;
for (String colName : colSet) {
if (colName.equals(EmpDAO.FNAME)) {
stat.setString(paramPos, params.get(colName));
}
if (colName.equals(EmpDAO.LNAME)) {
stat.setString(paramPos, params.get(colName));
}
if (colName.equals(EmpDAO.DEPT_ID)) {
stat.setInt(paramPos, Integer.parseInt(params.get(colName)));
}
paramPos++;
}
List<Employee> emp1 = new ArrayList<>();
try (ResultSet result = stat.executeQuery()) {
while (result.next()) {
Employee emp = new Employee();
emp.setDepid(result.getInt("DEPT_ID"));
emp.setEmpid(result.getInt("EMP_ID"));
emp.setFname(result.getString("FNAME"));
emp.setJobid(result.getInt("JOB_ID"));
emp.setLname(result.getString("LNAME"));
emp.setMangid(result.getInt("MANAGER_EMP_ID"));
emp.setSalary(result.getInt("SALARY"));
emp1.add(emp);
}
}
return emp1;
}
}
public static Connection getConnection() throws SQLException, IOException {
try {
Class.forName("com.mysql.jdbc.Driver");
} catch (ClassNotFoundException ex) {
ex.printStackTrace();
}
return DriverManager.getConnection("jdbc:mysql://localhost:3306/test",
"root", "root");
}
public static final String FNAME = "FNAME";
public static final String LNAME = "FNAME";
public static final String DEPT_ID = "FNAME";
}
Yes -- as written this will prevent SQL injection attacks and yes, that is how you use .prepareStatement. You should probably post this code on https://codereview.stackexchange.com/ if you want a critique of how it's done.
Related
I've ran into a problem of having to run a number of different queries on the DB (different return types, different number of columns, etc).
While writing that i started to wonder if there's a proper way of writing a helper function.
It seemed that it's really easy to write a function that returns a ResultSet.
However since it a) doesn't close connection b) doesn't close the result set it seems as a possibly working, but improper solution. Is there any place to dump in all results so that they can be returned safely.
(Only thing i could come up with, is just returning a 2D string array (after converting all data to strings) and then converting it all back)
EDIT : Sorry for not writing clear, was wondering if there's any way to just store the result of the query as is (don't need to modify it) without writing a separate method for every possible return type.
The idea behind a 2d string list is being able to store the query values as is.
Col1 Row1 | Col2 Row1 | Col3 Row1
Col1 Row2 | Col2 Row2 | Col3 Row2
EDIT 2 Thank you for replies, i guess i'll just write a small parser for it.
You shouldn't be returning resultSets, you should read the results from the resultset into some kind of container object. A ResultSet is a wrapper around a database cursor, it goes away when the connection closes. It's something you read from and close right away, not something you can pass around your application.
Look at how spring-jdbc does it. You implement a resultSetMapper that is passed to the method on the JdbcTemplate.
Several observations:
You don't need to use Spring to use spring-jdbc. However, I see very little value in reimplementing this stuff yourself.
It's not the job of the code that reads the ResultSet to open and close connections, that needs to be elsewhere.
I'd recommend looking at Spring JDBC. Don't write such a thing yourself. It's already been done, and quite well.
For example, I don't like your idea of returning a List of Strings. You lose a lot of info that way. I'd return a Map of Lists (column view) or List of Maps (row view).
If you must, here are some database utilities that would get you started.
package persistence;
import java.sql.*;
import java.util.*;
/**
* util.DatabaseUtils
* User: Michael
* Date: Aug 17, 2010
* Time: 7:58:02 PM
*/
public class DatabaseUtils {
/*
private static final String DEFAULT_DRIVER = "oracle.jdbc.driver.OracleDriver";
private static final String DEFAULT_URL = "jdbc:oracle:thin:#host:1521:database";
private static final String DEFAULT_USERNAME = "username";
private static final String DEFAULT_PASSWORD = "password";
*/
/*
private static final String DEFAULT_DRIVER = "org.postgresql.Driver";
private static final String DEFAULT_URL = "jdbc:postgresql://localhost:5432/party";
private static final String DEFAULT_USERNAME = "pgsuper";
private static final String DEFAULT_PASSWORD = "pgsuper";
*/
private static final String DEFAULT_DRIVER = "com.mysql.jdbc.Driver";
private static final String DEFAULT_URL = "jdbc:mysql://localhost:3306/party";
private static final String DEFAULT_USERNAME = "party";
private static final String DEFAULT_PASSWORD = "party";
public static void main(String[] args) {
long begTime = System.currentTimeMillis();
String driver = ((args.length > 0) ? args[0] : DEFAULT_DRIVER);
String url = ((args.length > 1) ? args[1] : DEFAULT_URL);
String username = ((args.length > 2) ? args[2] : DEFAULT_USERNAME);
String password = ((args.length > 3) ? args[3] : DEFAULT_PASSWORD);
Connection connection = null;
try {
connection = createConnection(driver, url, username, password);
DatabaseMetaData meta = connection.getMetaData();
System.out.println(meta.getDatabaseProductName());
System.out.println(meta.getDatabaseProductVersion());
String sqlQuery = "SELECT PERSON_ID, FIRST_NAME, LAST_NAME FROM PERSON ORDER BY LAST_NAME";
System.out.println("before insert: " + query(connection, sqlQuery, Collections.EMPTY_LIST));
connection.setAutoCommit(false);
String sqlUpdate = "INSERT INTO PERSON(FIRST_NAME, LAST_NAME) VALUES(?,?)";
List parameters = Arrays.asList("Foo", "Bar");
int numRowsUpdated = update(connection, sqlUpdate, parameters);
connection.commit();
System.out.println("# rows inserted: " + numRowsUpdated);
System.out.println("after insert: " + query(connection, sqlQuery, Collections.EMPTY_LIST));
} catch (Exception e) {
rollback(connection);
e.printStackTrace();
} finally {
close(connection);
long endTime = System.currentTimeMillis();
System.out.println("wall time: " + (endTime - begTime) + " ms");
}
}
public static Connection createConnection(String driver, String url, String username, String password) throws ClassNotFoundException, SQLException {
Class.forName(driver);
if ((username == null) || (password == null) || (username.trim().length() == 0) || (password.trim().length() == 0)) {
return DriverManager.getConnection(url);
} else {
return DriverManager.getConnection(url, username, password);
}
}
public static void close(Connection connection) {
try {
if (connection != null) {
connection.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
public static void close(Statement st) {
try {
if (st != null) {
st.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
public static void close(ResultSet rs) {
try {
if (rs != null) {
rs.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
public static void rollback(Connection connection) {
try {
if (connection != null) {
connection.rollback();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
public static List<Map<String, Object>> map(ResultSet rs) throws SQLException {
List<Map<String, Object>> results = new ArrayList<Map<String, Object>>();
try {
if (rs != null) {
ResultSetMetaData meta = rs.getMetaData();
int numColumns = meta.getColumnCount();
while (rs.next()) {
Map<String, Object> row = new HashMap<String, Object>();
for (int i = 1; i <= numColumns; ++i) {
String name = meta.getColumnName(i);
Object value = rs.getObject(i);
row.put(name, value);
}
results.add(row);
}
}
} finally {
close(rs);
}
return results;
}
public static List<Map<String, Object>> query(Connection connection, String sql, List<Object> parameters) throws SQLException {
List<Map<String, Object>> results = null;
PreparedStatement ps = null;
ResultSet rs = null;
try {
ps = connection.prepareStatement(sql);
int i = 0;
for (Object parameter : parameters) {
ps.setObject(++i, parameter);
}
rs = ps.executeQuery();
results = map(rs);
} finally {
close(rs);
close(ps);
}
return results;
}
public static int update(Connection connection, String sql, List<Object> parameters) throws SQLException {
int numRowsUpdated = 0;
PreparedStatement ps = null;
try {
ps = connection.prepareStatement(sql);
int i = 0;
for (Object parameter : parameters) {
ps.setObject(++i, parameter);
}
numRowsUpdated = ps.executeUpdate();
} finally {
close(ps);
}
return numRowsUpdated;
}
}
You can write helper functions that parse a ResultSet and convert it into an ArrayList or an array or even the fields of an object. For instance, lets say you have a table of orders and then a query returns all of the rows of that table for a particular user (customer). We could then do something like this:
static List<Order> parseOrder(ResultSet rs) {
ArrayList<Order> orderList = new ArrayList<>();
while(rs.next() ) {
Order order = new Order();
order.setID(rs.getInt(1));
order.setCustomerID(rs.getInt(2));
order.setItemName(rs.getString(3));
orderList.add(order);
}
return orderList;
}
Simply turning the result set into an array of an array of Objects would be more general, but probably less useful.
I would leave it up to the calling function to close this ResultSet and possible the PreparedStatement (or Statement) and database connection.
So I have a simple function to return something from the database. I can then modify this query by adding different parameters in the WHERE clause. What would be the most elegant and efficient way to handle this?
Example:
public static getUsers(int id, string username, string email) {
Connection conn = null;
PreparedStatement stmt = null;
String sql = "";
sql = "SELECT * FROM users " .........
And that's where I'm confused about the where clause. If I do something like
"WHERE id = ? AND username = ? AND email = ?";
What happens if I call the method with only an Id, and no username or email? It'll break and I can't have that happening.
Also, it becomes hard to manage my indexes, becuase if I would do something like stmt.setInt(1, id), but what if I only wanted to call the method with the username, and that id would come in as null, wouldn't throw a NPE?
I'm sort of new to Java, sorry... but I'm thinking I should use overrides? should I build my where clause in a conditional statement? Any help would be appreciated.
Thanks
I would create a SqlQuery class which implements the Builder Pattern. This is an excellent post explaining usage of the pattern.
Example:
public class SqlQuery {
private StringBuilder tableQuery = new StringBuilder();
private StringBuilder whereQuery = new StringBuilder();
public SqlQuery(String selection, String table) {
tableQuery.append("SELECT ").append(selection).append(" FROM ").append(table);
}
public SqlQuery addWhereClause(String parameter, String value) {
if (whereQuery.length() == 0) {
whereQuery.append(" WHERE ");
}
else {
whereQuery.append(" AND ");
}
whereQuery.append(parameter).append(" = ").append(value);
return this;
}
public String toString() {
return tableQuery.toString() + whereQuery.toString();
}
}
SqlQuery sqlQ = new SqlQuery("*", "users")
.addWhereClause("id", "2")
.addWhereClause("email", "test");
System.out.println(sqlQ);
This prints:
SELECT * FROM users WHERE id = 2 AND email = test
The excellent idea from #ghdalum does not actually involve a PreparedStatement. Here is my adaptation of his builder idea to produce a PreparedStatement:
public class UserQueryBuilder {
private Connection conn;
private StringBuilder query = new StringBuilder("SELECT * FROM users");
private List<ValueSetter> valueSetters = new ArrayList<ValueSetter>();
// callback interface for setting the column values
private interface ValueSetter {
void setValue(PreparedStatement ps);
}
// the caller is responsible for closing the connection afterwards
public QueryBuilder(Connection conn) {
this.conn = conn;
}
public QueryBuilder byId(final Integer id) {
appendSeparator();
query.append("id = ?");
valueSetters.add(new ValueSetter() {
public void setValue(PreparedStatement ps) {
ps.setInt(id);
}
});
return this;
}
public QueryBuilder byEmail(String email) {
appendSeparator();
query.append("email = ?");
valueSetters.add(new ValueSetter() {
public void setValue(PreparedStatement ps) {
ps.setString(email);
}
});
return this;
}
public QueryBuilder byUsername(String username) {
appendSeparator();
query.append("username= ?");
valueSetters.add(new ValueSetter() {
public void setValue(PreparedStatement ps) {
ps.setString(username);
}
});
return this;
}
private void appendSeparator() {
if (filterValues.size() == 0) {
query.append(" WHERE ")
}
else {
query.append(" AND ")
}
}
public PreparedStatment build() {
PreparedStatement ps = conn.prepareStatement(query.toString());
for(ValueSetter valueSetter : valueSetters) {
valueSetter.setValue(ps);
}
return ps;
}
}
Usage:
PreparedStatement userQuery = new UserQueryBuilder(conn)
.byId("2")
.byEmail("test")
.build();
userQuery.execute();
(BTW I didn't test this code so there could be typos)
write if else statement i.e.
if(username!=null)
query=query+"username=?";
and
if(username!=null)
stmt.setInt(2, username)
I would do something like this, create a method which accepts List<ColumnNames> and in that method loop through all the column names by appending the place holder to the column name.
public List<Something> method(List<Something> list){
String sql = "SELECT * FROM users WHERE "+ this.processPlaceHolders(list);
}
public String processPlaceHolders(List<Something> list) {
StringBuilder finalStr=new StringBuilder("");
for(int i=0;i<list.size(); i++){
if(i==list.size()-1){
finalStr.append(list.get(i)+"=" +"?");
}
else {
finalStr.append(list.get(i)+"=" +"?,");
}
}
return finalStr.toString();
}
You will need to dynamically build your SQL query to achieve this.
public static getUsers(int id, string username, string email) {
Connection conn = null;
PreparedStatement stmt = null;
String sql = "";
sql = "SELECT * FROM users where id=? ";
if (username != null)
sql += " AND username=? ";
if (email !=null)
sql += " AND email=?";
stmt = conn.prepareStatement(sql);
stmt.setInt(1,id);
if (username != null && email !=null)
{
stmt.setString(2,username);
stmt.setString(3,email);
}
else if (username != null)
stmt.setString(2,username);
else if (email != null)
stmt.setString(2,email);
Try this:
public static getUsers(int id, String username, String email) {
Connection conn = null;
PreparedStatement stmt = null;
String sql = "SELECT * FROM users WHERE id=? ";
if (username != null && username.trim().length() != 0) sql = sql + " AND username=? ";
if (email != null && email.trim().length() != 0) sql = sql + " AND username=? ";
stmt = conn.prepareStatement(sql);
stmt.setInt(1, id);
if (username != null && username.trim().length() != 0) stmt.setString(2, username);
if (email != null && email.trim().length() != 0) stmt.setString(3, email);
//.....
}
The solution to your problem is something like this:
public void getRecord(String id, String username, String email)
{
String sql = " select * from users ";
boolean isID , isUserName, isEmail;
boolean isFirst = true;
if (id!=null)
{
if ( isFirst)
{
sql = sql + " where";
isFirst = false;
}
sql = sql + " id = ?";
isID = true;
}
if (username != null)
{
if ( isFirst)
{
sql = sql + " where";
sql = sql + " username = ?";
isFirst = false;
}
else
sql = sql + " and username = ?";
isUserName = true;
}
if (email != null)
{
if ( isFirst)
{
sql = sql + " where";
sql = sql + " email = ?";
isFirst = false;
}
else
sql = sql + " and email = ?";
isEmail = true;
}
PreparedStatement pst = con.prepareStatement(sql);
int counter = 1;
if (isID)
pst.setString(counter++,id);
if (isUserName)
pst.setString(counter++,username);
if (isEmail)
pst.setString(counter++,email);
//Then execute the query
ResultSet rs = pst.executeQuery();
.......
}
Instead of writing one very complex method to dynamically construct a PreparedStatement, you should consider writing a separate method for each valid combination of inputs. Then each one can easily validate its input and will always use a specific PreparedStatement. Not only will this be easier to understand and maintain in the future, but it will be easier to test.
If you need backward compatibility with an existing API, you can then write a getUsers(int id, string username, string email) method that delegates to the simpler methods as appropriate.
I created a method that works Just Well Enough (takes ~4 seconds to complete) on my computer. However, the end user will use the method in a remote-desktop environment, where the same request took anything from 25-50 seconds to complete. How can I optimize this program?
private void compareAndPopulateArrays(List<String> listOfGenIdsFromXml,
List<String> listOfGenIdsFromDB, String dburl)
throws ClassNotFoundException, SQLException {
mdbAccessor = new MDBAccessor();
for (int x = 0; x < listOfGenIdsFromXml.size(); x++) {
Boolean matching_id_found = false;
for (int y = 0; y < listOfGenIdsFromDB.size(); y++) {
if (listOfGenIdsFromXml.get(x)
.equals(listOfGenIdsFromDB.get(y)) || equalsLanguageCodeIgnore(listOfGenIdsFromXml.get(x),listOfGenIdsFromDB.get(y))) {
addNewMatchingRecognition(listOfGenIdsFromXml,
listOfGenIdsFromDB, dburl, x, y);
matching_id_found = true;
}
}
if (!(matching_id_found == true)) {
newRecognitions.add(new NewRecognition(listOfGenIdsFromXml
.get(x)));
}
}
}
private void addNewMatchingRecognition(List<String> listOfGenIdsFromXml,
List<String> listOfGenIdsFromDB, String dburl, int x, int y)
throws ClassNotFoundException, SQLException {
String gen_id_Xml = listOfGenIdsFromXml.get(x);
String gen_id_DB = listOfGenIdsFromDB.get(y);
int issue_id = mdbAccessor.getIssueId(gen_id_DB, dburl);
String issue_expression = mdbAccessor.getIssueExpression(gen_id_DB,
dburl);
String issue_detail = mdbAccessor.getIssueDetails(gen_id_DB, dburl);
matchingRecognitions.add(new MatchingRecognition(gen_id_Xml, gen_id_DB,
issue_id, issue_detail, issue_expression));
}
And all the mdbAccessor methods look similarly to the following:
public int getIssueId(String gen_id, String dburl) throws ClassNotFoundException,
SQLException {
Connection connection = setupConnection(dburl);
Statement statement = connection.createStatement();
ResultSet resultSet = statement
.executeQuery("SELECT issue_id FROM es_it WHERE gen_id='&&"
+ gen_id + "' OR gen_id='&" + gen_id + "'");
if (resultSet.next()){
int getint = resultSet.getInt(1);
resultSet.close();
connection.close();
return getint;
}else{
resultSet.close();
connection.close();
return -1;
}
}
equalsLanguageCodeIgnore:
public boolean equalsLanguageCodeIgnore(String gen_id, String gen_id_DB) {
if (genIdsAreEqualMinusLanguageCode(gen_id, gen_id_DB)) {
return true;
} else {
return false;
}
}
private boolean genIdsAreEqualMinusLanguageCode(String gen_id,
String gen_id_DB) {
return gen_id_DB.contains("P-XX-")
&& gen_id.substring(5).equals(gen_id_DB.substring(5));
}
New and improved MDBAccessor class:
public class MDBAccessor {
private Connection connection;
private Statement statement;
public void setupConnection(String dburl)
throws ClassNotFoundException, SQLException {
connection = DriverManager
.getConnection("jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};Dbq="
+ dburl);
statement = connection.createStatement();
}
public void closeConnection() throws SQLException{
connection.close();
}
////
public int getIssueId(String gen_id) throws ClassNotFoundException,
SQLException {
ResultSet resultSet = statement
.executeQuery("SELECT issue_id FROM es_it WHERE gen_id='&&"
+ gen_id + "' OR gen_id='&" + gen_id + "'");
if (resultSet.next()){
int getint = resultSet.getInt(1);
resultSet.close();
return getint;
}else{
resultSet.close();
return -1;
}
}
Get the items once, and pass the items around, instead of the lists and indexes. This will limit the number of lookups done in the Lists, which I expect are quite large. Depending on your version of Java you may want to use a for-each construct for readability.
I expect you could consolidate the database accesses into a single query, which would save time.
int issue_id = mdbAccessor.getIssueId(gen_id_DB, dburl);
String issue_expression = mdbAccessor.getIssueExpression(gen_id_DB,
dburl);
String issue_detail = mdbAccessor.getIssueDetails(gen_id_DB, dburl);
You seem to be opening and closing the DB for each query. Open it once, and close it at the end of the function, as the open and close of the DB connection is costly (especially against Access IIRC). You would likely want to make the connection object a member of your MDBAccessor class. Remember to use a try finally construct to ensure it is closed.
Suggested refactoring for readability
private void compareAndPopulateArrays(List<String> xmlGenIds,
List<String> dbGenIds, String dbUrl)
throws ClassNotFoundException, SQLException {
//Better yet move it into an init method or the class constructor
mdbAccessor = new MDBAccessor(dbUrl);
for (String currXmlId : xmlGenIds) {
Boolean matchingIdFound = false;
for (String currDbId : dbGenIds) {
if (currXmlId.equals(currDbId) ||
equalsLanguageCodeIgnore(currXmlId,currDbId)) {
addNewMatchingRecognition(currDbId, currXmlId);
matchingIdFound = true;
}
}
if (!matchingIdFound) {
newRecognitions.add(new NewRecognition(currDbId));
}
}
}
You could try make some short of hash map from listOfGenIdsFromDB and replace the inner loop with map look ups, this would reduce need to repeatedly iterate over listOfGenIdsFromDB.
I am attempting to get a connection to my University's MySQL DB but the connection is hanging.
import java.sql.*;
public class ConnectToDB {
public static void main(String args[]){
try {
Class.forName("com.mysql.jdbc.Driver").newInstance();
String url = "jdbc:mysql://db.cs.myUniversity.com/dbName";
System.out.println("BEFORE");
Connection con = DriverManager.getConnection(url,"me", "password");
System.out.println("AFTER");
...
This call: time java ConnectToDB prints (after I eventually kill it):
Copyright 2004, R.G.Baldwin
BEFORE
AFTER
real 3m9.343s
user 0m0.316s
sys 0m0.027s
I just downloaded MySQL Connector/J from here. I am not sure if that is part of the problem. I followed the directions fairly precisely.
I can also connect to mysql on the command line like this:
$ mysql -u me -h db.cs.myUniversity.com -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 882328
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use dbName;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SHOW tables;
+-------------------+
| Tables_in_dbName |
+-------------------+
| classics |
+-------------------+
1 row in set (0.00 sec)
Possible Problems:
The Java code I wrote
How I installed MySQL Connector/J
Some kind of network problem blocking the connection
Question: What should I do to solve this problem? Why is the getConnection call hanging?
I was following this tutorial
The output you provide is not helpful.
I see BEFORE and AFTER being printed, so the connection was made. The code doesn't show what those timings encompass, so I can't tell what they mean.
If you're suggesting that your code had to killed because the connection was never made, it's probably because your username, password, and client IP have not been GRANTed permissions that are needed.
Could be:
your university network; find a network engineer to ask about firewalls.
permission in the MySQL database; find the DBA and ask.
your code; you didn't post enough to tell. Post the whole class.
What's up with that copyright? I'd lose that.
This code works. Modify it so the pertinent parameters match your problem. (Mine uses MySQL 5.1.51 and a table named Party.) When I run it on my local machine, I get a wall time of 641 ms.
package persistence;
import java.sql.*;
import java.util.*;
/**
* DatabaseUtils
* User: Michael
* Date: Aug 17, 2010
* Time: 7:58:02 PM
*/
public class DatabaseUtils
{
/*
private static final String DEFAULT_DRIVER = "org.postgresql.Driver";
private static final String DEFAULT_URL = "jdbc:postgresql://localhost:5432/party";
private static final String DEFAULT_USERNAME = "pgsuper";
private static final String DEFAULT_PASSWORD = "pgsuper";
*/
private static final String DEFAULT_DRIVER = "com.mysql.jdbc.Driver";
private static final String DEFAULT_URL = "jdbc:mysql://localhost:3306/party";
private static final String DEFAULT_USERNAME = "party";
private static final String DEFAULT_PASSWORD = "party";
public static void main(String[] args)
{
long begTime = System.currentTimeMillis();
String driver = ((args.length > 0) ? args[0] : DEFAULT_DRIVER);
String url = ((args.length > 1) ? args[1] : DEFAULT_URL);
String username = ((args.length > 2) ? args[2] : DEFAULT_USERNAME);
String password = ((args.length > 3) ? args[3] : DEFAULT_PASSWORD);
Connection connection = null;
try
{
connection = createConnection(driver, url, username, password);
DatabaseMetaData meta = connection.getMetaData();
System.out.println(meta.getDatabaseProductName());
System.out.println(meta.getDatabaseProductVersion());
String sqlQuery = "SELECT PERSON_ID, FIRST_NAME, LAST_NAME FROM PERSON ORDER BY LAST_NAME";
System.out.println("before insert: " + query(connection, sqlQuery, Collections.EMPTY_LIST));
connection.setAutoCommit(false);
String sqlUpdate = "INSERT INTO PERSON(FIRST_NAME, LAST_NAME) VALUES(?,?)";
List parameters = Arrays.asList( "Foo", "Bar" );
int numRowsUpdated = update(connection, sqlUpdate, parameters);
connection.commit();
System.out.println("# rows inserted: " + numRowsUpdated);
System.out.println("after insert: " + query(connection, sqlQuery, Collections.EMPTY_LIST));
}
catch (Exception e)
{
rollback(connection);
e.printStackTrace();
}
finally
{
close(connection);
long endTime = System.currentTimeMillis();
System.out.println("wall time: " + (endTime - begTime) + " ms");
}
}
public static Connection createConnection(String driver, String url, String username, String password) throws ClassNotFoundException, SQLException
{
Class.forName(driver);
if ((username == null) || (password == null) || (username.trim().length() == 0) || (password.trim().length() == 0))
{
return DriverManager.getConnection(url);
}
else
{
return DriverManager.getConnection(url, username, password);
}
}
public static void close(Connection connection)
{
try
{
if (connection != null)
{
connection.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static void close(Statement st)
{
try
{
if (st != null)
{
st.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static void close(ResultSet rs)
{
try
{
if (rs != null)
{
rs.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static void rollback(Connection connection)
{
try
{
if (connection != null)
{
connection.rollback();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static List<Map<String, Object>> map(ResultSet rs) throws SQLException
{
List<Map<String, Object>> results = new ArrayList<Map<String, Object>>();
try
{
if (rs != null)
{
ResultSetMetaData meta = rs.getMetaData();
int numColumns = meta.getColumnCount();
while (rs.next())
{
Map<String, Object> row = new HashMap<String, Object>();
for (int i = 1; i <= numColumns; ++i)
{
String name = meta.getColumnName(i);
Object value = rs.getObject(i);
row.put(name, value);
}
results.add(row);
}
}
}
finally
{
close(rs);
}
return results;
}
public static List<Map<String, Object>> query(Connection connection, String sql, List<Object> parameters) throws SQLException
{
List<Map<String, Object>> results = null;
PreparedStatement ps = null;
ResultSet rs = null;
try
{
ps = connection.prepareStatement(sql);
int i = 0;
for (Object parameter : parameters)
{
ps.setObject(++i, parameter);
}
rs = ps.executeQuery();
results = map(rs);
}
finally
{
close(rs);
close(ps);
}
return results;
}
public static int update(Connection connection, String sql, List<Object> parameters) throws SQLException
{
int numRowsUpdated = 0;
PreparedStatement ps = null;
try
{
ps = connection.prepareStatement(sql);
int i = 0;
for (Object parameter : parameters)
{
ps.setObject(++i, parameter);
}
numRowsUpdated = ps.executeUpdate();
}
finally
{
close(ps);
}
return numRowsUpdated;
}
}
I am trying to insert some rows in to a table... I am using postgressql-7.2.jar.
I get the following exception
org.postgresql.util.PSQLException: No results were returned by the query.
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:255)
I have already Googled and the possible reasons suggested are
Use executeUpdate() method or execute() method instead of executeQuery() method.
This could possibly be because of jar problem; try other versions of postgres jars.
In some places they save it could be because of heap space error.
I have tried all the three solutions but none of them work...
I am not pasting the code since I have just used statement.executeUpdate(queryString).
The insert statements load the data in to the table but still I get this error.
Can some one help me out in this?
What type of SQL statement are you trying to run with executeQuery()? It should not be an INSERT or UPDATE - these are not queries.
Without posting the actual SQL statement, code samples, or what the table looks like - it's pretty hard to actually help you with your problem. Without specifics all we can do is guess.
This code works perfectly for me running PostgreSQL 8.1 and its driver. Perhaps it can be a template for finding what's wrong with yours.
You need a single table named PERSON with columns PERSON_ID, FIRST_NAME, LAST_NAME. I made PERSON_ID the auto incremented primary key.
package persistence;
import java.sql.*;
import java.util.*;
public class DatabaseUtils
{
private static final String DEFAULT_DRIVER = "org.postgresql.Driver";
private static final String DEFAULT_URL = "jdbc:postgresql://localhost:5432/party";
private static final String DEFAULT_USERNAME = "pgsuper";
private static final String DEFAULT_PASSWORD = "pgsuper";
public static void main(String[] args)
{
String driver = ((args.length > 0) ? args[0] : DEFAULT_DRIVER);
String url = ((args.length > 1) ? args[1] : DEFAULT_URL);
String username = ((args.length > 2) ? args[2] : DEFAULT_USERNAME);
String password = ((args.length > 3) ? args[3] : DEFAULT_PASSWORD);
Connection connection = null;
try
{
connection = createConnection(driver, url, username, password);
DatabaseMetaData meta = connection.getMetaData();
System.out.println(meta.getDatabaseProductName());
System.out.println(meta.getDatabaseProductVersion());
String sqlQuery = "SELECT PERSON_ID, FIRST_NAME, LAST_NAME FROM PERSON ORDER BY LAST_NAME";
System.out.println("before insert: " + query(connection, sqlQuery, Collections.EMPTY_LIST));
connection.setAutoCommit(false);
String sqlUpdate = "INSERT INTO PERSON(FIRST_NAME, LAST_NAME) VALUES(?,?)";
List parameters = Arrays.asList( "Foo", "Bar" );
int numRowsUpdated = update(connection, sqlUpdate, parameters);
connection.commit();
System.out.println("# rows inserted: " + numRowsUpdated);
System.out.println("after insert: " + query(connection, sqlQuery, Collections.EMPTY_LIST));
}
catch (Exception e)
{
rollback(connection);
e.printStackTrace();
}
finally
{
close(connection);
}
}
public static Connection createConnection(String driver, String url, String username, String password) throws ClassNotFoundException, SQLException
{
Class.forName(driver);
if ((username == null) || (password == null) || (username.trim().length() == 0) || (password.trim().length() == 0))
{
return DriverManager.getConnection(url);
}
else
{
return DriverManager.getConnection(url, username, password);
}
}
public static void close(Connection connection)
{
try
{
if (connection != null)
{
connection.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static void close(Statement st)
{
try
{
if (st != null)
{
st.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static void close(ResultSet rs)
{
try
{
if (rs != null)
{
rs.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static void rollback(Connection connection)
{
try
{
if (connection != null)
{
connection.rollback();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
public static List<Map<String, Object>> map(ResultSet rs) throws SQLException
{
List<Map<String, Object>> results = new ArrayList<Map<String, Object>>();
try
{
if (rs != null)
{
ResultSetMetaData meta = rs.getMetaData();
int numColumns = meta.getColumnCount();
while (rs.next())
{
Map<String, Object> row = new HashMap<String, Object>();
for (int i = 1; i <= numColumns; ++i)
{
String name = meta.getColumnName(i);
Object value = rs.getObject(i);
row.put(name, value);
}
results.add(row);
}
}
}
finally
{
close(rs);
}
return results;
}
public static List<Map<String, Object>> query(Connection connection, String sql, List<Object> parameters) throws SQLException
{
List<Map<String, Object>> results = null;
PreparedStatement ps = null;
ResultSet rs = null;
try
{
ps = connection.prepareStatement(sql);
int i = 0;
for (Object parameter : parameters)
{
ps.setObject(++i, parameter);
}
rs = ps.executeQuery();
results = map(rs);
}
finally
{
close(rs);
close(ps);
}
return results;
}
public static int update(Connection connection, String sql, List<Object> parameters) throws SQLException
{
int numRowsUpdated = 0;
PreparedStatement ps = null;
try
{
ps = connection.prepareStatement(sql);
int i = 0;
for (Object parameter : parameters)
{
ps.setObject(++i, parameter);
}
numRowsUpdated = ps.executeUpdate();
}
finally
{
close(ps);
}
return numRowsUpdated;
}
}
A statement inserting rows does not return any rows back as a result, as opposed to a SELECT.