I am trying to update a Db2 database using Java and the following code:
String sSqlString = "UPDATE P6DEVCDB00.P6OSTAPF SET STATVAL = '" + sStatVal + "' WHERE OPIID = '" + sOperationsitemid + "' AND CONGRPC = '" + sConfigGrpCode + "'";
// Do your select on a Db table.
//statement = con.createStatement();
statement = con.prepareStatement(sSqlString);
int RowsAffected = statement.executeUpdate();
con.commit();
System.out.println(RowsAffected);
I then get the following error :
DB2 SQL Error: SQLCODE=-7008, SQLSTATE=55019, SQLERRMC=P6OSTAPF ;
P6DEVCDB00;3, DRIVER=3.58.81
I have printed out the sql that it's going to run :
UPDATE P6DEVCDB00.P6OSTAPF SET STATVAL = 'ON'
WHERE OPIID = 'B20120707000681531' AND CONGRPC = 'STKLSTSTAT
When I run this sql directly with a SQLUI tool it works and the record gets updated...
Your problem is that you're attempting to use transactions over tables that are not 'journaled' - that is, setup for transactions.
Ideally, you should set up all tables (that will be run under a transaction) as journaled, specifically to test that property; regardless of being able to simulate failures, you need to make sure that your code can handle being under transactions.
Also, depending on your situation, you may not need to explicitly manage transactions. If you're using a framework like Spring, they can usually manage transactions for you, although this will usually mean that you still need journaling on your iSeries tables.
If you're just trying to test basic code behavior, look into using an in-memory database, such as HSQLDB (can emulate some LUW DB2 behavior, but not library lists, unfortunately) - this will absolve you of the need to have a connection to your box, and to set up journaling.
Related
We use IntelliJ IDEA actively and we have our wrappers for work with DB (PostgreSQL). The thing is that when we use placeholders, SQL is stopped being highlighted.
"select * from " + schema + ".users where id = " + id + ";";
This code is not recognised as SQL, so highlighting doesn't work.
I agree with Jesper, you should try using preparedStatements, not only would your Statements get more secure, also the problem which you are currently having should be solved by it.
My java (Hibernate, MySql) code takes the input data to decide which column I want to update as below:
String hsql = "update People set " + inputColumnName + " = null";
Query query = myHibernateSession.createQuery(hsql);
query.executeUpdate();
However, Sonarqube said "Change this code to not construct SQL queries directly from user-controlled data". Anyway I can avoid this error (either fix this or by-pass sonarqube check without turn this rule off)?
You need to restrict the variable to be a column name and remove potential for insertion of a statement. Using bind variables would help but take a look at some examples such as these: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
I need to alter a Db2 column using JDBC. The column may change its name and/or its type. In Db2 these two actions are done in two steps, the first ALTER TABLE to change the name, and the second ALTER TABLE to change the type.
For example:
ALTER TABLE T1 RENAME COLUMN C1 TO C2;
ALTER TABLE T1 ALTER COLUMN C2 SET DATA TYPE decimal(4,0);
See below the code, the first statement is executed but the second always throws an exception.
String sql = "ALTER TABLE " + tableName + " RENAME COLUMN " +
originalName + " TO " + name;
PreparedStatement ps1 = conn.prepareStatement(sql);
ps1.executeUpdate();
sql = "ALTER TABLE " + tableName + " ALTER COLUMN " + name +
" SET DATA TYPE decimal(" + sc.getLength() + "," + sc.getDec() + ")";
PreparedStatement ps2 = conn.prepareStatement(sql);
ps2.executeUpdate();
The exception is:
The operation was not performed because the table is in an invalid
state for the operation. Table name: "DB.T1".
Reason code: "23".. SQLCODE=-20054, SQLSTATE=55019, DRIVER=4.27.25
What is the meaning of a table in an "invalid state"? Why is the table in this state? What's wrong with this code?
Always give your Db2-server platform (z/os, linux/unix/windows, i series) and Db2-server version when asking for Db2-help, because the answer can depend on these facts.
The exception SQL20054N reason 23, means that the table has reached a limit on the number of alterations and before continuing, the table need to be reorganized with a REORG command. The documentation for the error is here. The REORG command will put the table back into a normal state. Normally a DBA would consider running RUNSTATS command following the REORG to ensure that table statistics are refreshed following the alterations.
Db2-LUW allows a small number of table changes (often 3) before forcing a reorg for certain kinds of alterations. Previous alterations to this table might have been performed by others, in different transactions , without getting this exception. Schema-evolution tools should detect this state and recover from it.
This is a normal situation, and the recovery is to run the REORG command.
You can either ask your DBA to do reorg for you, or you can (if your authid has the correct permissions) from jdbc call a stored procedure admin_cmd() to perform the command for you, or just use the Db2 command line interface reorg table db.t1 inplace for example . The documentation for admin_cmd is here, and if you do not understand the REORG details, ask your DBA for help.
Trying to delete record from my database, but I get the error "Unknown column '' in 'where clause'".
private void deleteUser() {
String query = "DELETE FROM user WHERE Name =" + tfemail.getText() + "";
executeQuery(query);
showUsers();
}
You can't write queries this way. Imagine someone put in the tfemail field this text:
"Joe' OR FALSE"
and let's see what that would do to your SQL query:
DELETE FROM user WHERE Name = 'Joe' OR FALSE;
bye, database!
Some dbs let you execute stuff on the server the db engine runs on. Which means this trick can be used to completely hack the machine or format the disk entirely. bye, entire machine.
This also means your executeQuery method needs to be removed - that abstraction ('here is some SQL, please run it') is rarely useful (as it cannot contain any user input), and entices you to write security leaks.
The solution is prepared statements:
PreparedStatement ps = con.prepareStatement("DELETE FROM user WHERE Name = ?");
ps.setString(1, "Joe");
ps.executeUpdate();
This solves your problem, and does so safely - ps.setString(1, "Joe' OR FALSE"); is now no longer an issue (the DB engine or JDBC driver guarantees that it will take care of the problem; the effect would be to delete the entry in your user table that literally reads "Joe' OR FALSE").
Furthermore, storing passwords in a database is not an acceptable strategy; the solution is e.g. bcrypt: Use a hashing algorithm designed specifically to store passwords.
String query = "DELETE FROM user WHERE Name ='" + tfemail.getText() + "'";
^ ^
|___________add___________|
so I have a software which basically downloads 1.5K game server address from my MySQL db. It then pings all of them and then upload the information such as online players back to the database. The process looks like this:
Download server address
Ping the servers and get information
Upload information back to the database
So far I have been able to solve the part where it download the server host name and pings them but the problem arises when updating the servers.
To update I thought about using a for loop to construct one BIG string of many update statements and execute it at once but this is prone to sql injections. So idealy one would want to use prepared statements.
The SQL update statement i'm using is:
UPDATE serverlist SET `onlineplayers` = '3', maxplayers = '10',
name = 'A game server' WHERE `ip` = 'xxx.xxx.xxx.xxx' AND `port` = 1234;
So my question is: How can i execute all the 1.5K updates statements using parameterized queries?
If you google for "jdbc bulk update" you'll get lots of results like this one or this one.
The latter has an example like this:
try {
...
connection con.setAutoCommit(false);
PreparedStatement prepStmt = con.prepareStatement(
"UPDATE DEPT SET MGRNO=? WHERE DEPTNO=?");
prepStmt.setString(1,mgrnum1);
prepStmt.setString(2,deptnum1);
prepStmt.addBatch();
prepStmt.setString(1,mgrnum2);
prepStmt.setString(2,deptnum2);
prepStmt.addBatch();
int [] numUpdates=prepStmt.executeBatch();
for (int i=0; i < numUpdates.length; i++) {
if (numUpdates[i] == -2)
System.out.println("Execution " + i +
": unknown number of rows updated");
else
System.out.println("Execution " + i +
"successful: " numUpdates[i] + " rows updated");
}
con.commit();
} catch(BatchUpdateException b) {
// process BatchUpdateException
}
Sounds like you want to do a batch SQL update. Prepared statements are your friend. Here's an example of using prepared statements in batch:
http://www.mkyong.com/jdbc/jdbc-preparedstatement-example-batch-update/
Using prepared statements makes setting parameters easier and it allows the DB to efficiently perform multiple updates. Executing multiple SQL strings would work but would be inefficient since each SQL string would be sent to the DBMS, parsed, compiled, then executed. With prepared statements the SQL is parsed and compiled once then reused for future updates with different parameters.
Another important step that you should be aware about during MySQL batch update / insert is JDBC Connection propertie rewriteBatchedStatements=true ( false by default ). Without it batch mode is useless.
It cost me 1 day to "fix bug" till I found out this.
When you have small number of lines and close client-to-DB location ( 1ms ping ) , you even can't realize that you in "fake batch mode" , but when I switch environment to remote client ( ping=100ms ) and 100k lines to update , it would take 4hours of "batch mode update" with default rewriteBatchedStatements=false and just 2minutes with rewriteBatchedStatements=true
Create a prepared statement:
String sql = "update serverlist SET onlineplayers = ?, maxplayers = ?, name = ? where ip = ? and port = ?";
PreparedStatement stmt = connection.prepareStatement(sql);
Then loop through your list, and at each iteration, do
stmt.setInt(1, onlinePlayers);
stmt.setInt(2, maxPlayers);
stmt.setString(3, name);
stmt.setString(4, ip);
stmt.setInt(5, port);
stmt.executeUpdate();
For better performance, you could also use batch updates.
Read the JDBC tutorial.