postgresql - JDBC Postgres stored function call returning setof 'myType' -

-

i'm trying protect database sql injection. have many stored functions return setof predefined data types. example:

create type userloginuseridpasswordreturntype (   userid integer, -- user.id   password text  );  create or replace function "user_login_get_id_password"(usernamein text) returns setof userloginuseridpasswordreturntype $$ declare     sql text; begin       sql =  'select id, cryptpwd "user" username = ' || usernamein ||';';       return query execute sql; end; $$ language 'plpgsql';

i call these stored procedures java front-end. i've read, using callablestatement safer regards sql injection. have far:

public arraylist<string> userlogingetidpassword(string username){         arraylist<string> result = new arraylist<string>();         try{             string commandtext = "{call user_login_get_id_password(?)}";             this.cstmt = this.myconnection.preparecall(commandtext);             this.cstmt.setobject(1, username); //          this.rs = this.cstmt.execute();             this.rs = cstmt.executequery();             while (this.rs.next()){                 result.add(this.rs.getstring(1));             }         } catch (sqlexception e){             system.out.println("sql exception: ");             e.printstacktrace();         }         return result;     }

if try using execute() method, asks me set resultset rs boolean. if run way (executequery()) first field (userid) of returntype can seen in resultset.

if call stored procedure such:

public arraylist<string> userlogingetidpassword(string username){         arraylist<string> result = new arraylist<string>();         try{             string query = "select \"user_login_get_id_password\"('" + username + "');";             system.out.println(query);             this.stmt = this.myconnection.createstatement();             this.rs = this.stmt.executequery(query);             while (this.rs.next()){                 result.add(this.rs.getstring(1));             }         } catch (sqlexception e){             system.out.println("sql exception: ");             e.printstacktrace();         }         return result;     }

i correct data.

also, if there further tips protect database sql injection, kindly point them out. i've created specific postgres roles application use, implemented connectionpool (c3p0) connect database - application run on local network. i'm validating user input different java swing components in order avoid sql injection attacks (comment --, semi colon, * , other sql commands delete).

any input welcome.

thanks.

first, postgresql doesn't support call command that's why first approach fails.

on second approach have 2 problems. first sql injection. using standard binding apprach fix that. second problem difficult parse data function have called it.

a better approach like

select * user_login_get_id_password(?)

however note sql injection possible inside function. extent can avoid execute protect you. if must use execute, change query string to:

sql =  'select id, cryptpwd "user" username = ' || quote_literal(usernamein);

there no need terminating semicolon inside execute query. gets automatically terminated. need call quote_literal though (use quote_ident() if quoting table/column names).


Comments

Post a Comment

Popular posts from this blog

c# - SVN Error : "svnadmin: E205000: Too many arguments" -

-
i trying reposotries using c# code process svncommand = null; var psi = new processstartinfo("svnadmin"); psi.redirectstandardoutput = true; psi.redirectstandarderror = true; psi.useshellexecute = false; psi.arguments= @"dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump"; using (svncommand = process.start(psi)) { var myoutput = svncommand.standardoutput; var myerror = svncommand.standarderror; debug.write("output :" + environment.newline + environment.newline + myoutput.readtoend() + environment.newline + "error :" + environment.newline + environment.newline + myerror.readtoend()); svncommand.close(); } when use dump command commandline svnadmin dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump it works fine when try ...
Read more

c# - Copy ObservableCollection to another ObservableCollection -

-
how copy observablecollection item observablecollection without reference of first collection? here observablecollection item value changes affecting both collections. code private observablecollection<ratemodel> _allmetalrate = new observablecollection<ratemodel>(); private observablecollection<ratemodel> _metalrateondate = new observablecollection<ratemodel>(); public observablecollection<ratemodel> allmetalrate { { return this._allmetalrate; } set { this._allmetalrate = value; notifypropertychanged("metalrate"); } } public observablecollection<ratemodel> metalrateondate { { return this._metalrateondate; } set { this._metalrateondate = value; notifypropertychanged("metalrateondate"); } } foreach (var item in metalrateondate) allmetalrate.add(item); what causing , how can solve it? you need clone object referenced item before it's a...
Read more

All overlapping substrings matching a java regex -

-
is there api method returns (possibly overlapping) substrings match regular expression? for example, have text string: string t = 04/31 412-555-1235; , , have pattern: pattern p = new pattern("\\d\\d+"); matches strings of 2 or more characters. the matches are: 04, 31, 412, 555, 1235. how overlapping matches? i want code return: 04, 31, 41, 412, 12, 55, 555, 55, 12, 123, 1235, 23, 235, 35. theoretically should possible -- there obvious o(n^2) algorithm enumerates , checks substrings against pattern. edit rather enumerating substrings, safer use region(int start, int end) method in matcher . checking pattern against separate, extracted substring might change result of match (e.g. if there non-capturing group or word boundary check @ start/end of pattern). edit 2 actually, it's unclear whether region() expect zero-width matches. specification vague, , experiments yield disappointing results. for example: string line = "xx90xx"; strin...
Read more