I'm developing a web app (java) and I'm using Hibernate 4.1.4 and oracle 11g. By security's rules, the dbuser (the db user that app uses) doesnt have insert privileges. Then every time my app is gonna do a insert, it must execute the query "SET ROLE XXXX ...." before the insertion-query be executed. This "set role.." will give to dbuser the privileges to insert into some tables int that transaction. How to do it with Hibernate? I don't wanna put it in a default conf because I should execute the above query only in insertions (not to selects...). I tried do it on my save method:
public Object saveOrUpdate(Object entity) {
Query query = getSessionFactory().getCurrentSession().createSQLQuery("set role XXXX identified by XXXX");
query.executeUpdate();
getSessionFactory().getCurrentSession().saveOrUpdate(entity);
return entity;
}
but it doesnt work. I get the error "view or table not exist". When I try execute only the query.executeUpdate() or the saveOrUpdate(entity) no error happened.
I guess it is all. If you need more details, please ask to me. Thanks!
Related
I am doing an exercise in class to find web page vulnerabilities through a user/password form and we are suppouse to be able to modify columns of a table using SQL injection.
I know the tables of the database, for instance I am trying to modify the table users that has the colums id, password and email.
The problem is that for INSERT, UPDATE or DELETE the server code use the executeUpdate() method and for SELECT use the executeQuery() method which returns the ResultSet, so obviusly when I try someting like:
correctpassword'; UPDATE usuarios SET id='newname' WHERE id='oldname'; --
it returns an error because UPDATE does not return the ResultSet object.
I have also tried nested queries so the main consult would be a SELECT so it would actually return a ResultSet object but it doesnt work either. The query is:
correctpassword'; SELECT id FROM usuarios WHERE id = (SELECT id FROM usuarios WHERE id=?admin?; UPDATE usuarios SET id=?luciareina? WHERE id=?admin?); --
Do you know anyway to do this? Thank you very much in advance!
Depending on the database server you have, you can not have an update statement inside of a select statement.
you should close out the existing query and then do the update
Also, make sure the column you are updating is not an auto generated/key column that is not updatable.
SELECT id FROM usuarios WHERE id = 1; UPDATE usuarios SET id=1 WHERE id=2
You should test your injection directly on server to see if it is valid before testing it via the webpage.
jpql delete query is active for last 4 hours. When I tried to execute the same query directly on the database console it took around 30seconds to execute.The total data to delete is maximum 100000. I have index on id. I am unable to understand. Any suggestions would be appreciated.
Thanks
#Modifying
#Query("DELETE FROM IoEntity WHERE Id = :id")
void deleteAllById(#Param("id") UUID id);
Whenever you run a DML in your DB using SQL clients like Toad, SQL Developer etc, make sure you commit it unless auto commit is turned on in the client.
If you are doing the delete via JPA, commit will be taken care by Spring when you define #Transactional in your service method.
I am trying to query the replication status of the underlying database using the query:
em.createNativeQuery("SELECT application_name, backend_start, state, cast(write_lag as text) FROM pg_stat_replication;").getResultList();
Unfortunately, all columns except application_name return null. Even if I only run
em.createNativeQuery("SELECT backend_start FROM pg_stat_replication;").getResultList();
I get a null result. If I run the same query in the postgres command-line client, I get a meaningful result:
dbname=# select backend_start from pg_stat_replication;
backend_start
-------------------------------
2018-10-16 09:01:58.262578+02
(1 row)
I am using spring-boot 1.2.6 with hibernate, and postgresql 10.5.
What can I do so I get the results for this query?
Just after posting, I realised I user different users in the CLI and from java. Apparently, the user needs to be superuser or have the pg_read_all_stats default role. Like this:
GRANT pg_read_all_stats TO user;
Working on a Spring application that uses Hibernate, and in my DAO layer we are running an UPDATE statement to update some values in an Oracle database.
To make sure I'm not crazy, I ran the statement in SQL Developer to make sure it works properly. Here is part of my DAO code:
public void updateObjectInMyTable(SomeClassA objectOfSomeClassA) {
Session session = getCurrentSession();
String sql = "UPDATE SCHEMA_NAME.TABLE_XYZ SET FIRST_NAME=:firstName, LAST_NAME=:lastName, ADDRESS=:address, CITY=:city, ZIPCODE=:zipcode WHERE ID_NUMBER = :idNumber";
SQLQuery query = session.createSQLQuery(sql);
query.setParameter("firstName", objectOfSomeClassA.getFirstName());
query.setParameter("lastName", objectOfSomeClassA.getLastName());
query.setParameter("address", objectOfSomeClassA.getAddress());
query.setParameter("city", objectOfSomeClassA.getCity());
query.setParameter("zipcode", objectOfSomeClassA.getZipcode());
query.setParameter("idNumber", objectOfSomeClassA.getIdNumber());
query.executeUpdate();
}
(Excuse the poor variables names used for substitutions of the real ones.) I did debug on the server and I do not see any errors with query.executeUpdate() It gets to that line, and doesn't pass on to the next statement I have in my service layer.
Anything I'm doing wrong?
Where's your transaction ?!
Use :
session.beginTransaction().commit();
add this in the end line of your code.
I hope this helps you.
I am using EclipseLink JPA to connect to vertica database and fetch results. Before running the below piece of code
EntityManager em = ...
Query q = em.createQuery ("SELECT x FROM Table x");
List results = q.getResultList ();
I need to first run the "SET ROLES ALL" statement for the user id. How to run such statements in JPA.
Please guide me.
for Vertica, you can do two things:
set your default role for the user:
alter user myuser default role myrole;
use connection string property "ConnSettings" as described in the Vertica connection string docs (https://my.vertica.com/docs/6.1.x/HTML/index.htm#13173.htm):
A string containing SQL statements that the JDBC driver automatically
runs after it connects to the database. This property is useful to set
the locale, set the schema search path, or perform other configuration
that the connection requires.
Your connection string could look like something like this:
jdbc:vertica://myverticaserver/mydb?ConnSettings=SET+ROLE+myrole