From b3e4809507d3d61f8114d93f630b8e7818274c40 Mon Sep 17 00:00:00 2001 From: Roland Haeder Date: Thu, 13 Aug 2015 14:45:32 +0200 Subject: [PATCH] =?utf8?q?Rewrote=20handling=20of=20values,=20now=20it=20i?= =?utf8?q?s=20better=20secured=20using=20prepared=20statements=20Signed-of?= =?utf8?q?f-by:Roland=20H=C3=A4der=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- .../backend/mysql/MySqlDatabaseBackend.java | 62 +++++++++++++++++-- 1 file changed, 58 insertions(+), 4 deletions(-) diff --git a/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java b/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java index 2d71d90..c1a38e6 100644 --- a/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java +++ b/src/org/mxchange/jcore/database/backend/mysql/MySqlDatabaseBackend.java @@ -19,11 +19,12 @@ package org.mxchange.jcore.database.backend.mysql; import java.io.IOException; import java.sql.Connection; import java.sql.DriverManager; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import java.sql.Statement; import java.text.MessageFormat; import java.util.Iterator; +import java.util.LinkedHashSet; import java.util.Map; import java.util.Set; import org.mxchange.jcore.criteria.searchable.SearchableCritera; @@ -128,11 +129,20 @@ public class MySqlDatabaseBackend extends BaseDatabaseBackend implements Databas // Debug message this.getLogger().debug(MessageFormat.format("set.isEmpty()={0}", set.isEmpty())); + // Init values + Set values = new LinkedHashSet<>(set.size()); + // Are there conditions? if (!set.isEmpty()) { // Continue with WHERE query.append(" WHERE "); + // No more than 1 value currently + if (set.size() > 1) { + // Not supported yet + throw new IllegalArgumentException("More than one criteria is not supported yet."); + } + // Get iterator Iterator> iterator = set.iterator(); @@ -153,7 +163,12 @@ public class MySqlDatabaseBackend extends BaseDatabaseBackend implements Databas // Which type has the value? if (value instanceof Boolean) { // Boolean value - query.append(String.format("=%s", value.toString())); + query.append("=?"); + values.add(value); + } else if (value instanceof String) { + // String value + query.append("=?"); + values.add(value); } else { // Cannot handle this throw new SQLException(MessageFormat.format("Cannot handle value={0} for key={1} in table {2}", value, entry.getKey(), this.getTableName())); @@ -177,10 +192,49 @@ public class MySqlDatabaseBackend extends BaseDatabaseBackend implements Databas this.getLogger().debug(MessageFormat.format("query={0} is complete.", query)); // Prepare statement instance - Statement statement = connection.createStatement(); + PreparedStatement statement = connection.prepareStatement(query.toString()); + + // Debug message + this.getLogger().debug(MessageFormat.format("statement={0}", statement)); + + // Get iterator on values + Iterator valueIterator = values.iterator(); + + // Init index with 1 + int index = 1; + + // Set all values + while (valueIterator.hasNext()) { + // Get next value + Object value = valueIterator.next(); + + //Debug message + this.getLogger().debug(MessageFormat.format("value={0} at index={1}", value, index)); + + // Detect type again + if (value instanceof Boolean) { + // Debug log + this.getLogger().debug(MessageFormat.format("Setting boolean value={0} for index={1}", value, index)); + + // Found boolean + statement.setBoolean(index, (boolean) value); + } else if (value instanceof String) { + // Debug message + this.getLogger().debug(MessageFormat.format("Setting string value={0} for index={1}", value, index)); + + // Found string + statement.setString(index, (String) value); + } else { + // Not parseable type + throw new SQLException(MessageFormat.format("Cannot handle value={0} for index={1} in table {2}", value, index, this.getTableName())); + } + + // Increment index + index++; + } // Run it - ResultSet resultSet = statement.executeQuery(query.toString()); + ResultSet resultSet = statement.executeQuery(); // The result set needs to be transformed into Result, so initialize a result instance here Result result = this.getFrontend().getResultFromSet(resultSet); -- 2.39.5