You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@plc4x.apache.org by sr...@apache.org on 2021/06/07 15:25:41 UTC

[plc4x] branch develop updated: plc4j: fix sql injection issues

This is an automated email from the ASF dual-hosted git repository.

sruehl pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/plc4x.git


The following commit(s) were added to refs/heads/develop by this push:
     new 4a9a744  plc4j: fix sql injection issues
4a9a744 is described below

commit 4a9a744d4467bcf8cfcb51974936d5b8ec5d4989
Author: Sebastian Rühl <sr...@apache.org>
AuthorDate: Mon Jun 7 17:25:24 2021 +0200

    plc4j: fix sql injection issues
---
 .../integration/iotdb/IoTDBWriterWithJDBC.java     | 39 +++++++++++-----------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java b/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java
index 9f446b9..e3b8cb3 100644
--- a/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java
+++ b/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java
@@ -19,35 +19,30 @@
 
 package org.apache.plc4x.java.examples.integration.iotdb;
 
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.SQLException;
-import java.sql.Statement;
+import java.sql.*;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class IoTDBWriterWithJDBC implements IIoTDBWriter{
-    private static Logger LOGGER = LoggerFactory.getLogger(IoTDBWriterWithJDBC.class);
+public class IoTDBWriterWithJDBC implements IIoTDBWriter {
+    private static final Logger LOGGER = LoggerFactory.getLogger(IoTDBWriterWithJDBC.class);
 
     //IoTDB JDBC connection
-    Connection connection;
-
-    //IoTDB JDBC Statement
-    Statement statement;
+    private final Connection connection;
 
     public IoTDBWriterWithJDBC(String ipPort, String username, String password)
         throws ClassNotFoundException, SQLException {
         // Get IoTDB connection
         Class.forName("org.apache.iotdb.jdbc.IoTDBDriver");
-        connection = DriverManager.getConnection("jdbc:iotdb://" + ipPort+"/",
+        connection = DriverManager.getConnection("jdbc:iotdb://" + ipPort + "/",
             username, password);
-        statement = connection.createStatement();
     }
 
     @Override
     public void initStorageGroup(String storageGroup) {
-        try {
-            statement.execute("SET STORAGE GROUP TO root." + storageGroup);
+        try (PreparedStatement statement = connection.prepareStatement("SET STORAGE GROUP TO root.?")) {
+            statement.setObject(1, storageGroup);
+            statement.execute();
         } catch (SQLException e) {
             //from v0.9.0, you can use the error code to check whether the sg exists.
             LOGGER.error(e.getMessage());
@@ -57,10 +52,12 @@ public class IoTDBWriterWithJDBC implements IIoTDBWriter{
     @Override
     public void writeData(String deviceId, String field, long timestamp, Integer value) {
         //please modify this method if you want to write multiple fields once.
-        try {
-            String sql = String.format("insert into %s (timestamp, %s) values (%d, %s)",
-                deviceId, field, timestamp, value + "");
-            statement.execute(sql);
+        try (PreparedStatement statement = connection.prepareStatement("INSERT INTO ? (TIMESTAMP, ?) VALUES (?, ?)")) {
+            statement.setString(1, deviceId);
+            statement.setString(2, field);
+            statement.setLong(3, timestamp);
+            statement.setInt(4, value);
+            statement.execute();
         } catch (SQLException e) {
             LOGGER.error("Error storing data.", e);
         }
@@ -77,8 +74,10 @@ public class IoTDBWriterWithJDBC implements IIoTDBWriter{
 
     @Override
     public void createTimeseries(String timeseries, String dataType) {
-        try {
-            statement.execute("create timeseries " + timeseries + " with dataType=" + dataType +",encoding=RLE");
+        try (PreparedStatement statement = connection.prepareStatement("CREATE TIMESERIES ? WITH DATATYPE = ?, ENCODING = RLE")) {
+            statement.setString(1, timeseries);
+            statement.setString(2, dataType);
+            statement.execute();
         } catch (SQLException e) {
             //from v0.9.0, you can use the error code to check whether the sg exists.
             LOGGER.error(e.getMessage());