details: https://code.openbravo.com/erp/devel/pi/rev/54f5cc848bee changeset: 35711:54f5cc848bee user: Nono Carballo <nonofce <at> gmail.com> date: Thu May 02 12:00:38 2019 -0400 summary: Fixes issue 40523: Uses bind parameters in query
Instead of using string concatenation to form the query, bind parameters are used. details: https://code.openbravo.com/erp/devel/pi/rev/a09be04c90d7 changeset: 35712:a09be04c90d7 user: Víctor Martínez Romanos <victor.martinez <at> openbravo.com> date: Fri May 03 09:54:13 2019 +0200 summary: Related to issue 40523: code review improvements Centralize localStrLine definition in just one line, when it's used. Change parameter names to make more difficult to have conflicts with user defined params. Remove 'if' for corner case. This creates a very small change in this scenario: select 'RecordId: ' || @RecordId@ || ', Line: ' || @Line@ from dual When Line is null then: Before: NULL After: RecordId: 3232199ED4824EE3A07BCC1E580ABFE7, Line: NULL diffstat: src/org/openbravo/erpCommon/ad_forms/FactLine.java | 50 ++++++--------------- 1 files changed, 14 insertions(+), 36 deletions(-) diffs (98 lines): diff -r 6524aa2ee769 -r a09be04c90d7 src/org/openbravo/erpCommon/ad_forms/FactLine.java --- a/src/org/openbravo/erpCommon/ad_forms/FactLine.java Thu May 02 16:04:44 2019 +0200 +++ b/src/org/openbravo/erpCommon/ad_forms/FactLine.java Fri May 03 09:54:13 2019 +0200 @@ -11,7 +11,7 @@ * Portions created by Jorg Janke are Copyright (C) 1999-2001 Jorg Janke, parts * created by ComPiere are Copyright (C) ComPiere, Inc.; All Rights Reserved. * Contributor(s): Openbravo SLU - * Contributions are Copyright (C) 2001-2017 Openbravo S.L.U. + * Contributions are Copyright (C) 2001-2019 Openbravo S.L.U. ****************************************************************************** */ package org.openbravo.erpCommon.ad_forms; @@ -19,21 +19,18 @@ import java.math.BigDecimal; import java.math.RoundingMode; import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; import javax.servlet.ServletException; import org.apache.commons.lang.StringUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.hibernate.query.NativeQuery; import org.openbravo.base.secureApp.VariablesSecureApp; import org.openbravo.dal.core.OBContext; import org.openbravo.dal.service.OBDal; import org.openbravo.database.ConnectionProvider; import org.openbravo.erpCommon.utility.SequenceIdData; -import org.openbravo.exception.NoConnectionAvailableException; import org.openbravo.model.common.currency.ConversionRateDoc; import org.openbravo.model.common.currency.Currency; @@ -1127,38 +1124,24 @@ public StringBuffer getDescription(ConnectionProvider connectionProvider, String strC_Bpartner_ID, String strC_AcctSchema_ID, String strAD_Table_ID, String strRecord_ID, String strLine) throws ServletException { - String localStrLine = strLine; StringBuffer description = new StringBuffer(); String strSql = AcctServerData.selectDescription(connectionProvider, strAD_Table_ID, strC_AcctSchema_ID); try { - if (!strSql.equals("")/* && strLine!=null && !strLine.equals("") */) { - strSql = strSql.replaceAll("@RecordId@", "'" + strRecord_ID + "'"); - if (localStrLine == null || localStrLine.equals("")) { - localStrLine = "NULL"; - } else { - localStrLine = "'" + localStrLine + "'"; + if (!StringUtils.isBlank(strSql)) { + strSql = strSql.replaceAll("@RecordId@", ":paramRecordId") + .replaceAll("@Line@", ":paramLineId"); + + @SuppressWarnings("rawtypes") + NativeQuery query = OBDal.getInstance().getSession().createSQLQuery(strSql); + if (strSql.contains(":paramRecordId")) { + query.setParameter("paramRecordId", strRecord_ID); } - strSql = strSql.replaceAll("@Line@", localStrLine); - Statement st = connectionProvider.getStatement(); - ResultSet result; - try { - if (st.execute(strSql)) { - result = st.getResultSet(); - while (result.next()) { - description.append(result.getString(1)); - } - result.close(); - } - } catch (SQLException e) { - log4jFactLine.error("SQL error in query: " + strSql + "Exception:" + e); - throw new ServletException(Integer.toString(e.getErrorCode())); - } finally { - try { - connectionProvider.releaseStatement(st); - } catch (Exception ignored) { - } + if (strSql.contains(":paramLineId")) { + query.setParameter("paramLineId", StringUtils.isBlank(strLine) ? "NULL" : strLine); } + final String result = (String) query.uniqueResult(); + description.append(StringUtils.defaultIfBlank(result, StringUtils.EMPTY)); } if (description.length() == 0) { description.append((m_docVO.DocumentNo == null) ? "" : m_docVO.DocumentNo); @@ -1180,11 +1163,6 @@ if (description.length() > 255) { description = new StringBuffer(description.substring(0, 254)); } - } catch (NoConnectionAvailableException ex) { - throw new ServletException("@CODE=NoConnectionAvailable"); - } catch (SQLException ex2) { - throw new ServletException( - "@CODE=" + Integer.toString(ex2.getErrorCode()) + "@" + ex2.getMessage()); } catch (Exception ex3) { throw new ServletException("@CODE=@" + ex3.getMessage()); } _______________________________________________ Openbravo-commits mailing list Openbravo-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openbravo-commits
