You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by "Kevin Meyer (JIRA)" <ji...@apache.org> on 2010/11/05 11:21:41 UTC

[jira] Created: (ISIS-10) Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements

Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements
------------------------------------------------------------------------------------------------------

                 Key: ISIS-10
                 URL: https://issues.apache.org/jira/browse/ISIS-10
             Project: Isis
          Issue Type: Improvement
          Components: Alternatives: ObjectStore: SQL
    Affects Versions: 0.1
            Reporter: Kevin Meyer
            Assignee: Kevin Meyer
            Priority: Minor


At the moment, all "insert" and "update" commands use a fully formed SQL string with embedded values:
"insert into SQLDATACLASS (PK_ID, color,date_time) values (2252, '0','2010-03-05 22:23:000000')".

This should be updated to "insert into SQLDATACLASS (PK_ID, color,date_time) values (?,?,?)".

This should also solve issues with quoting values such as (especially affecting DB2) quoting integer, float, etc, non-string values. DB2 is throwing an exception when integers and floats are quoted ('1') instead of (1).


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] [Resolved] (ISIS-10) Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements

Posted by "Kevin Meyer (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/ISIS-10?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Meyer resolved ISIS-10.
-----------------------------

       Resolution: Fixed
    Fix Version/s: 0.1.2-incubating

All statements (insert, update, etc) use prepared statements. Values are not converted to String unless the base ValueMapper is a String value.

> Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ISIS-10
>                 URL: https://issues.apache.org/jira/browse/ISIS-10
>             Project: Isis
>          Issue Type: Improvement
>          Components: Runtimes: Dflt: Objectstores: SQL
>    Affects Versions: 0.1.2-incubating
>            Reporter: Kevin Meyer
>            Assignee: Kevin Meyer
>            Priority: Minor
>             Fix For: 0.1.2-incubating
>
>   Original Estimate: 168h
>          Time Spent: 12h
>  Remaining Estimate: 40h
>
> At the moment, all "insert" and "update" commands use a fully formed SQL string with embedded values:
> "insert into SQLDATACLASS (PK_ID, color,date_time) values (2252, '0','2010-03-05 22:23:000000')".
> This should be updated to "insert into SQLDATACLASS (PK_ID, color,date_time) values (?,?,?)".
> This should also solve issues with quoting values such as (especially affecting DB2) quoting integer, float, etc, non-string values. DB2 is throwing an exception when integers and floats are quoted ('1') instead of (1).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Closed] (ISIS-10) Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements

Posted by "Dan Haywood (Closed) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/ISIS-10?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Haywood closed ISIS-10.
---------------------------

    
> Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ISIS-10
>                 URL: https://issues.apache.org/jira/browse/ISIS-10
>             Project: Isis
>          Issue Type: Improvement
>          Components: Runtimes: Dflt: Objectstores: SQL
>    Affects Versions: 0.1.2-incubating
>            Reporter: Kevin Meyer
>            Assignee: Kevin Meyer
>            Priority: Minor
>             Fix For: 0.2.0-incubating
>
>   Original Estimate: 168h
>          Time Spent: 12h
>  Remaining Estimate: 40h
>
> At the moment, all "insert" and "update" commands use a fully formed SQL string with embedded values:
> "insert into SQLDATACLASS (PK_ID, color,date_time) values (2252, '0','2010-03-05 22:23:000000')".
> This should be updated to "insert into SQLDATACLASS (PK_ID, color,date_time) values (?,?,?)".
> This should also solve issues with quoting values such as (especially affecting DB2) quoting integer, float, etc, non-string values. DB2 is throwing an exception when integers and floats are quoted ('1') instead of (1).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (ISIS-10) Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements

Posted by "Dan Haywood (Updated) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/ISIS-10?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Haywood updated ISIS-10:
----------------------------

    Fix Version/s:     (was: 0.1.2-incubating)
                   0.2.0-incubating
    
> Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ISIS-10
>                 URL: https://issues.apache.org/jira/browse/ISIS-10
>             Project: Isis
>          Issue Type: Improvement
>          Components: Runtimes: Dflt: Objectstores: SQL
>    Affects Versions: 0.1.2-incubating
>            Reporter: Kevin Meyer
>            Assignee: Kevin Meyer
>            Priority: Minor
>             Fix For: 0.2.0-incubating
>
>   Original Estimate: 168h
>          Time Spent: 12h
>  Remaining Estimate: 40h
>
> At the moment, all "insert" and "update" commands use a fully formed SQL string with embedded values:
> "insert into SQLDATACLASS (PK_ID, color,date_time) values (2252, '0','2010-03-05 22:23:000000')".
> This should be updated to "insert into SQLDATACLASS (PK_ID, color,date_time) values (?,?,?)".
> This should also solve issues with quoting values such as (especially affecting DB2) quoting integer, float, etc, non-string values. DB2 is throwing an exception when integers and floats are quoted ('1') instead of (1).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira