• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

preparing dynamic sql and executing them using springs

 
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Can we prepare an sql dynamically in springs framework.

suppose,

select emp.lastname, dept.depno from emp, dept where e.empno = dept.empno and dept.deptno =123;

select emp.lastname, dept.depno from emp, dept where e.empno = dept.empno and dept.deptno =123 and emp.firstname = 'emp1';


My scenario is, i may get only deptno = 123 or emp.firstname = 'emp1' or both from a client trying to fetch data.

so is there any way to prepare these sqls dynamically, using a properties file in springs?

sometimes even tables names are also different. suppose instead of dept, salary table has to be referred. please suggest if we can dynamically include table name also.

Thanks in advance,

Regards,
Susmitha.
 
Rancher
Posts: 2759
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can using spring JDBC or JPA. It depends on what you are using already. When using spring JDBC, you will be creating JDBC queries. When using JPA, you will be using JPA queries

However, remember that dynamic queries are the major source of security holes that arise due to SQL injection. You can prevent SQL injection by using prepared statements/paramaterized named queries. If you are creating queries dynamically, you should make sure the queries are not created from user input, and if they are they are sanitized.
 
reply
    Bookmark Topic Watch Topic
  • New Topic