You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@plc4x.apache.org by sr...@apache.org on 2021/06/07 15:25:41 UTC
[plc4x] branch develop updated: plc4j: fix sql injection issues
This is an automated email from the ASF dual-hosted git repository.
sruehl pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/plc4x.git
The following commit(s) were added to refs/heads/develop by this push:
new 4a9a744 plc4j: fix sql injection issues
4a9a744 is described below
commit 4a9a744d4467bcf8cfcb51974936d5b8ec5d4989
Author: Sebastian Rühl <sr...@apache.org>
AuthorDate: Mon Jun 7 17:25:24 2021 +0200
plc4j: fix sql injection issues
---
.../integration/iotdb/IoTDBWriterWithJDBC.java | 39 +++++++++++-----------
1 file changed, 19 insertions(+), 20 deletions(-)
diff --git a/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java b/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java
index 9f446b9..e3b8cb3 100644
--- a/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java
+++ b/plc4j/examples/hello-integration-iotdb/src/main/java/org/apache/plc4x/java/examples/integration/iotdb/IoTDBWriterWithJDBC.java
@@ -19,35 +19,30 @@
package org.apache.plc4x.java.examples.integration.iotdb;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.SQLException;
-import java.sql.Statement;
+import java.sql.*;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class IoTDBWriterWithJDBC implements IIoTDBWriter{
- private static Logger LOGGER = LoggerFactory.getLogger(IoTDBWriterWithJDBC.class);
+public class IoTDBWriterWithJDBC implements IIoTDBWriter {
+ private static final Logger LOGGER = LoggerFactory.getLogger(IoTDBWriterWithJDBC.class);
//IoTDB JDBC connection
- Connection connection;
-
- //IoTDB JDBC Statement
- Statement statement;
+ private final Connection connection;
public IoTDBWriterWithJDBC(String ipPort, String username, String password)
throws ClassNotFoundException, SQLException {
// Get IoTDB connection
Class.forName("org.apache.iotdb.jdbc.IoTDBDriver");
- connection = DriverManager.getConnection("jdbc:iotdb://" + ipPort+"/",
+ connection = DriverManager.getConnection("jdbc:iotdb://" + ipPort + "/",
username, password);
- statement = connection.createStatement();
}
@Override
public void initStorageGroup(String storageGroup) {
- try {
- statement.execute("SET STORAGE GROUP TO root." + storageGroup);
+ try (PreparedStatement statement = connection.prepareStatement("SET STORAGE GROUP TO root.?")) {
+ statement.setObject(1, storageGroup);
+ statement.execute();
} catch (SQLException e) {
//from v0.9.0, you can use the error code to check whether the sg exists.
LOGGER.error(e.getMessage());
@@ -57,10 +52,12 @@ public class IoTDBWriterWithJDBC implements IIoTDBWriter{
@Override
public void writeData(String deviceId, String field, long timestamp, Integer value) {
//please modify this method if you want to write multiple fields once.
- try {
- String sql = String.format("insert into %s (timestamp, %s) values (%d, %s)",
- deviceId, field, timestamp, value + "");
- statement.execute(sql);
+ try (PreparedStatement statement = connection.prepareStatement("INSERT INTO ? (TIMESTAMP, ?) VALUES (?, ?)")) {
+ statement.setString(1, deviceId);
+ statement.setString(2, field);
+ statement.setLong(3, timestamp);
+ statement.setInt(4, value);
+ statement.execute();
} catch (SQLException e) {
LOGGER.error("Error storing data.", e);
}
@@ -77,8 +74,10 @@ public class IoTDBWriterWithJDBC implements IIoTDBWriter{
@Override
public void createTimeseries(String timeseries, String dataType) {
- try {
- statement.execute("create timeseries " + timeseries + " with dataType=" + dataType +",encoding=RLE");
+ try (PreparedStatement statement = connection.prepareStatement("CREATE TIMESERIES ? WITH DATATYPE = ?, ENCODING = RLE")) {
+ statement.setString(1, timeseries);
+ statement.setString(2, dataType);
+ statement.execute();
} catch (SQLException e) {
//from v0.9.0, you can use the error code to check whether the sg exists.
LOGGER.error(e.getMessage());