I followed the statement DELETE [address : Address] where Address is one of the entities. Please help in this regard with possible examples on how to implement DeleteAll method.
The standard JCR-SQL2 query language defined in the JCR 2.0 (JSR-283) specification is read only, and has no delete (or update or create) functionality.
Related
We have to work with older version of an ERP system (1993).
It has multiple modules. These modules have windows(tabs). Tabs have cols (obviously).
In this tabs the USER can make a "new column" -> it's like a subquery. Query can be used only in parentheses ().
I'm just curious, is it possible to make an injection by user.
e.g.:
--basic query (self join)
(select i.my_col from my_table i where my_pk = i.pk)
--illlustrating
(select replace(i.my_col, 'UPDATE...') from my_table i where my_pk = i.pk)
Is there any way to make the second query workable ? I mean, can the user somehow update columns whit this method ?
How can i test it ?
Dynamic values can be handled for where condition through preparedStatement and setParameter however unfortunately that option is not available for dynamic column selection.
The best thing can be done is to have all possible/applicable column names before you pass to the query.
// check if my_col is possible values else throw the error.
(select replace(i.my_col, 'UPDATE...') from my_table i where my_pk = i.pk)
Avoiding SQL injection is down to the mechanism which turns the user's input into executable statements. The actual example you posted won't run, but I can think of ways it might be possible to hijack the SELECT to run malicious DML. It depends on the framework: given that the underlying software is ancient I suspect it might be extremely vulnerable.
Generally speaking, if you're worried about SQL Injection you should investigate using Oracle's built-in DBMS_ASSERT package to verify your SQL strings. Find out more
Can any one tell me how to implement for update in oracle using NHibernate? Are there any pre defined clauses for this? If not please tell me how can I implement it.
Read this chapter.
Basically, you need to get your poco using ISession.Get(Of Poco)(id, LockMode.Upgrade).
As a result, that should issue a SELECT ... FROM Poco Where Id = ? FOR UPDATE.
You can also invoke using LockMode.UpgradeNoWait to get a equivalent FOR UPDATE NOWAIT SQL Statement
I am trying to generate a Data On Demand class for one of my entities whose class name is Member. However it seems that Member is a reserved SQL keyword.
So when I run the following command in the Roo shell:
dod --entity ~.domain.Member
Roo complains that Member is a reserved keyword with the following message:
Reserved SQL keyword 'Member' is not permitted as simple type name
Does Roo allow for a way to escape the name of my entity? If so how?
If no, how can I circumvent this issue?
Someone from the Springsource team replied to me about this issue. Here is the reply:
The dod command also allows the --permitReservedWords option to
overcome your issue.
Hope it can help someone else.
What DB are you using? I don't know much about Roo, but it appears that it maps the class to a namespaced database table. What I would suggest, although this might seem crude, is to add a prefix to your entity name, e.g. SystemMember.
I am writing an application which works with a legacy database (brownfield). I have a couple of tables in which I insert data. These tables have some fields which need values of which I do not want the properties in my domain entities. Is there a way to insert the default value into the field without having to create a property for it my mapping file? I cannot alter the database to create a trigger, so it has to be done via the mapping file/.net application.
Hope someone can help. I hoped I could use a formula, but that doesn't work and I couldn't find any other ways to do it either.
you could use a private / protected property.
That would mean introducing these fields into your domain model / mappings, but they would be limited to those, and not exposed to whoever uses your entities.
seems like a reasonable compromise to me.
You could use EventListeners
in the OnPostInsert / OnPostUpdate event you can get the db connection and ad-hoc execute a sql query.
NH makes it rather easy
using xml see here
using FluentNHibernate see here
the basic idea is to use PropertyAccessor on a non existing property which always has the constant value.
I've been reading the documentation, but I couldn't find any information about it.
Is it possible to have Hibernate send user-provided SQL queries in order to UPDATE or to INSERT an object in the database?
In other words, is it possible to have session.saveOrUpdate( myObject ); , which generates update mySchema.myObject set field1=?, field2=?, field3=? where unique_key=?
to be replaced with a manual query from a user-provided String?
This is well described in the reference documentation. There are caveats, though : the session and the second-level cache aren't aware of the changes made to the entities, the version field is not updated, etc.
And if HQL is still not sufficient, you may always fall back to SQL queries.