2

To avoid SQL injection attacks in my project, I'm attempting access database with Parameterized Query way. Right now I know how to handle equal case like below (With Spring JdbcTemplate):

String sql = "SELECT * FROM T_USER WHERE USERNAME = ? AND PASSWORD = ?"
jdbcTemplate.query(sql, 
                   new UserRowMapper(), 
                   new Object[]{"%admin%", "%password%"});

Above code runs no problem, but I had no idea how to handle the 'IN' case, following is my case, and it works failed:

String sql = 
   "SELECT * FROM T_USER WHERE USERNAME = ? AND PASSWORD = ? AND CLASS_ID IN (?)"
jdbcTemplate.query(sql, 
                   new UserRowMapper(), 
                   new Object[]{"%admin%", "%password%", "1,2,3"});

Anybody give me guidance? Thanks a lot.

Improve this question
4
  • Which RDBMS are you using, and which language (C#, Java, VB.Net, Turbo Pascal)? Commented Nov 2, 2012 at 3:55
  • I'm using DB2 and with Java language (Spring JdbcTemplate), thanks for reply. Commented Nov 2, 2012 at 3:57
  • If NamedParameterJdbcTemplate is best for this case? Commented Nov 2, 2012 at 4:02
  • You can build your query to have parameters inside the IN clause from java. See this question in C#: stackoverflow.com/questions/337704/parameterize-a-sql-in-clause Commented Jun 28, 2014 at 6:22

2 Answers 2

Reset to default
1

I think you can create a List and pass it as 3rd parameter. Also You need to use LIKE in place of = in first two column filters.

List<Integer> classIds = new ArrayList<Integer>();
classIds.add(1);
classIds.add(2);
classIds.add(3);

String sql = "SELECT * FROM T_USER WHERE "+
              "USERNAME LIKE ? AND PASSWORD LIKE ? AND CLASS_ID IN (?)";
jdbcTemplate.query(sql, new Object[]{"%admin%", "%password%", classIds},
                                                         new UserRowMapper());

Please note: Here is the syntax:

public List query(String sql, Object[] args, RowMapper rowMapper) 
             throws DataAccessException

EDIT: Please try namedParameterJdbcTemplate as bwlow:

String sql = "SELECT * FROM T_USER WHERE "+
           "USERNAME LIKE :uname AND PASSWORD LIKE :passwd AND CLASS_ID IN (:ids)";
 Map<String, Object> namedParameters = new HashMap<String, Object>();
 namedParameters.put("uname", "%admin%);
 namedParameters.put("passwd", "%password%");
 namedParameters.put("ids", classIds);
 List result = namedParameterJdbcTemplate.query(sql, namedParameters, 
                                                             new UserRowMapper());
Improve this answer
Sign up to request clarification or add additional context in comments.

14 Comments

Thanks for your reply. I follow your way to do it got below error: org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [SELECT* FROM PFRAS.USER_PROFILE WHERE USERNAME LIKE ? AND PASSWORD LIKE ? AND ID IN (?)]; nested exception is com.ibm.db2.jcc.am.io: [jcc][1091][10824][3.57.82] 数据转换无效:参数实例 [1, 35] 对于所请求的转换无效。 ERRORCODE=-4461, SQLSTATE=42815
Sorry, I use a Chinese-version DB2, some message may makes you confused.
@BradyChu: I updated the answer. Basically, RowMapper is third argument in query() method and you were using as second. Pleas swap and try.
the same exception encounters also.
@BradyChu: What is the data type of CLASS_ID column? Also you are using %...% in the param then you should use LIKE not =. Updated the answer.
|
0

Three options:

  1. Generate different JDBC queries for each length of the IN LIST, and parameterize each INDIVIDUAL item, e.g. this answer
  2. For small tables, you can cheat and use a LIKE statement, e.g. this answer
  3. Use a SPLIT function (anti-LISTAGG) to turn the delimited list into individual rows of one column each, and JOIN against it. Example SPLIT function
    • You'll parameterize the argument to the function as a single string
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.