From: Roland Haeder Date: Thu, 13 Aug 2015 12:45:32 +0000 (+0200) Subject: Rewrote handling of values, now it is better secured using prepared statements X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=b3e4809507d3d61f8114d93f630b8e7818274c40;p=jcore.git Rewrote handling of values, now it is better secured using prepared statements Signed-off-by:Roland Häder --- diff --git a/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java b/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java index 2d71d90..c1a38e6 100644 --- a/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java +++ b/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java @@ -19,11 +19,12 @@ package org.mxchange.jcore.database.backend.mysql; import java.io.IOException; import java.sql.Connection; import java.sql.DriverManager; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import java.sql.Statement; import java.text.MessageFormat; import java.util.Iterator; +import java.util.LinkedHashSet; import java.util.Map; import java.util.Set; import org.mxchange.jcore.criteria.searchable.SearchableCritera; @@ -128,11 +129,20 @@ public class MySqlDatabaseBackend extends BaseDatabaseBackend implements Databas // Debug message this.getLogger().debug(MessageFormat.format("set.isEmpty()={0}", set.isEmpty())); + // Init values + Set values = new LinkedHashSet<>(set.size()); + // Are there conditions? if (!set.isEmpty()) { // Continue with WHERE query.append(" WHERE "); + // No more than 1 value currently + if (set.size() > 1) { + // Not supported yet + throw new IllegalArgumentException("More than one criteria is not supported yet."); + } + // Get iterator Iterator> iterator = set.iterator(); @@ -153,7 +163,12 @@ public class MySqlDatabaseBackend extends BaseDatabaseBackend implements Databas // Which type has the value? if (value instanceof Boolean) { // Boolean value - query.append(String.format("=%s", value.toString())); + query.append("=?"); + values.add(value); + } else if (value instanceof String) { + // String value + query.append("=?"); + values.add(value); } else { // Cannot handle this throw new SQLException(MessageFormat.format("Cannot handle value={0} for key={1} in table {2}", value, entry.getKey(), this.getTableName())); @@ -177,10 +192,49 @@ public class MySqlDatabaseBackend extends BaseDatabaseBackend implements Databas this.getLogger().debug(MessageFormat.format("query={0} is complete.", query)); // Prepare statement instance - Statement statement = connection.createStatement(); + PreparedStatement statement = connection.prepareStatement(query.toString()); + + // Debug message + this.getLogger().debug(MessageFormat.format("statement={0}", statement)); + + // Get iterator on values + Iterator valueIterator = values.iterator(); + + // Init index with 1 + int index = 1; + + // Set all values + while (valueIterator.hasNext()) { + // Get next value + Object value = valueIterator.next(); + + //Debug message + this.getLogger().debug(MessageFormat.format("value={0} at index={1}", value, index)); + + // Detect type again + if (value instanceof Boolean) { + // Debug log + this.getLogger().debug(MessageFormat.format("Setting boolean value={0} for index={1}", value, index)); + + // Found boolean + statement.setBoolean(index, (boolean) value); + } else if (value instanceof String) { + // Debug message + this.getLogger().debug(MessageFormat.format("Setting string value={0} for index={1}", value, index)); + + // Found string + statement.setString(index, (String) value); + } else { + // Not parseable type + throw new SQLException(MessageFormat.format("Cannot handle value={0} for index={1} in table {2}", value, index, this.getTableName())); + } + + // Increment index + index++; + } // Run it - ResultSet resultSet = statement.executeQuery(query.toString()); + ResultSet resultSet = statement.executeQuery(); // The result set needs to be transformed into Result, so initialize a result instance here Result result = this.getFrontend().getResultFromSet(resultSet);