[Help] How to make getText() return the result in case sensitive ?

[Tom Anderson]

All right, but it remains that PreparedStatement isn't the only way to
reject SQL injection. Immunity against SQL injection is important, but
that does not require PreparedStatement, it's facilitated by
PreparedStatement.

Oh, i see what you mean. Yes, true.

Hang on, when you say 'type safety', what do you mean? Do you mean at the
java level, or preventing the client code sending an integer parameter
where a string is needed and things like that? I'd been assuming the
former, but i'm not sure i've understood right.

I rate protection against injection by mathematical expectation - not
only the fact that it happens, but the likelihood of occurrence makes
type safety more important. You always need type safety; SQL injection
attacks are rare by comparison.

If you mean java-level type safety, then this is manifestly untrue, since
there are highly successful typeless languages, which show that you never
need type safety. If you mean SQL-level type safety, then yes, you're
quite right.

tom

 

[Tom Anderson]

@Lew
How to solve it ? As I mention above, when I didn't call
Class.forName("com.mysql.jdbc.Driver"), the
NetBeans show error message "No suitable driver found" even I included
MySQL driver libraries in my project. The program will not run without
this call.

No, but you only need to make it once per invocation of the application.
You could do it in a static block - add:

static {
Class.forName("com.mysql.jdbc.Driver") ;
}

to your app class definition.

tom

 

[Tom Anderson]

Oh, i see what you mean. Yes, true.

Hang on, when you say 'type safety', what do you mean? Do you mean at the
java level, or preventing the client code sending an integer parameter where
a string is needed and things like that? I'd been assuming the former, but
i'm not sure i've understood right.

Furthermore, i wonder if you could use generics to unite the two.

If you consider statements with one parameter, then something like:

interface Connection {
PreparedStatement<T> prepareStatement(String sql, Class<T> paramtype) ;
}

interface PreparedStatement<T> {
ResultSet executeQuery(T param) ;
}

Where prepareStatement would throw an exception if the paramType didn't
match that which was implied by the query string.

I don't think you can extend this to arbitrarily sized argument lists,
though. You'd need something like:

interface Connection {
PreparedStatement<T...> prepareStatement(String sql, Class<T...> paramtype...) ;
}

interface PreparedStatement<T...> {
ResultSet executeQuery(T... param...) ;
}

With client code looking like:

PreparedStatement<String, int> stmt =
conn.prepareStatement("SELECT * FROM customers WHERE county = ? AND creditLimit >= ?", String.class, int.class) ;
ResultSet rows = stmt.executeQuery("Rutland", 4000) ;

AFAIK, there's no way to do this in present-day java.

Well, not without genuine evil ...

abstract class Parameter<T, P extends Parameter> {
private T value ;

protected Parameter(T value) {
this.value = value ;
}
public T getValue() {
return value ;
}
public abstract P getNextParameter() ;
}

class Param<T, P> extends Parameter<T, P> {
private P next ;

public Param(T value, P next) {
super(value) ;
this.next = next ;
}
public P getNextParameter() {
return next ;
}
}

class Null extends Parameter<Void, Null> {
public static final Null NO_MORE_PARAMS = new Null() ;

private Null() {
super(null) ;
}
public Null getNextParameter() {
return null ;
}
}

interface PreparedStatement<P extends Parameter> {
ResultSet executeQuery(P param) ;
}

import static Null.NO_MORE_PARAMS ;
PreparedStatement<Param<String, Param<int, Null>>> stmt ;
stmt.executeQuery(new Param("B. L. Zebub", new Param(666, NO_MORE_PARAMS))) ;

I haven't actually tried to compile this, so i'm not sure it's right. I
also haven't quite thought through how you'd construct the actual
PreparedStatement object in such a way that type safety was preserved. You
might need a generic ParameterType class too.

My head hurts.

tom

 

[tobleron]

Well, for Pete's sake, calling it zero times is not the solution!  I pointed
out that you only need to call it once.  Calling it zero times is not
following the advice.

@Lew and Tom
I'm not quite understand. I've tried to follow your suggestion, but it
can't run. May be you can explicitly write within my code bellow (FYI,
I used NetBeans 6.1 and this code is only a part for a button click) :

@Action public void doLogin() {
String url = "jdbc:mysql://localhost:3306/dicom?
jdbcCompliantTruncation=false";
Connection con;
PreparedStatement passwordLookup ;

try {
Class.forName("com.mysql.jdbc.Driver");
} catch(java.lang.ClassNotFoundException e) {
System.err.println(e);
}

try {
con = DriverManager.getConnection(url, "root", "");
String sql = "SELECT userid,passwd FROM user WHERE userid
= BINARY ? AND passwd = BINARY ?";
passwordLookup = con.prepareStatement(sql);
char[] passwdnya = passwdTxt.getPassword();
String convertedChars = new String(passwdnya);
passwordLookup.setString(1, userIDTxt.getText().trim());
passwordLookup.setString(2, convertedChars.trim());
ResultSet result = passwordLookup.executeQuery();

if (result.next()) {
setVisible(false);
if (ecgMenuBox == null) {
JFrame mainFrame =
Main.getApplication().getMainFrame();
ecgMenuBox = new ECGMenu(mainFrame);

ecgMenuBox.setLocationRelativeTo(mainFrame);
}
Main.getApplication().show(ecgMenuBox);
}
else {
setVisible(false);
if (loginWarningBox == null) {
JFrame mainFrame =
Main.getApplication().getMainFrame();
mainFrame.setSize(100,80);
loginWarningBox = new
LoginWarning(mainFrame);

loginWarningBox.setLocationRelativeTo(mainFrame);
}
Main.getApplication().show(loginWarningBox);

}
result.close();
passwordLookup.close();
con.close();
} catch(SQLException e) {
System.err.println(e);
}
}

@All
Is there anyone can help me to understand what the NetBeans show this
warning ?

Oct 2, 2008 2:56:02 PM org.jdesktop.application.LocalStorage getId
WARNING: unspecified resource Application.id using Main
Oct 2, 2008 2:56:02 PM org.jdesktop.application.LocalStorage getId
WARNING: unspecified resource Application.vendorId using
UnknownApplicationVendor

 

[Tom Anderson]

@Lew and Tom
I'm not quite understand. I've tried to follow your suggestion, but it
can't run. May be you can explicitly write within my code bellow (FYI,
I used NetBeans 6.1 and this code is only a part for a button click) :

Copy and paste the code i wrote above into one of your classes. It has to
be inside a class, and there's no class in the code you posted, so i can't
explicitly write it in there. What class does this method belong to? Put
it in there. Right after the line that says:

public class MyClass {

It's called a static initializer, or sometimes just a static block by the
lazy and imprecise such as myself. Read:

https://java.sun.com/docs/books/tutorial/java/javaOO/initial.html

@All
Is there anyone can help me to understand what the NetBeans show this
warning ?

Oct 2, 2008 2:56:02 PM org.jdesktop.application.LocalStorage getId
WARNING: unspecified resource Application.id using Main
Oct 2, 2008 2:56:02 PM org.jdesktop.application.LocalStorage getId
WARNING: unspecified resource Application.vendorId using
UnknownApplicationVendor

No idea.

tom

 

[Lew]

@Lew and Tom
I'm not quite understand. I've tried to follow your suggestion, but it
can't run. May be you can explicitly write within my code bellow (FYI,
I used NetBeans 6.1 and this code is only a part for a button click) :

<http://sscce.org/>

 

[Bo Vance]

<http://sscce.org/>

Wonder what a JavaSSCCE plugin for the common Java IDEs would look like?

class, method, statement, expression, snippet

 

[Daniel Pitts]

Second-most importantly. Most importantly it provides type safety.

My opinion is that either they tie, or Type Safety is secondary.

lack of Type Safety can lead to a user visible bug, but lack of
Injection safety can lead to data loss or data exposure.

In either case, there is no reason to put unescaped SQL into a String to
be executed, so PreparedStatement isn't really optional, regardless of
the most important reason ;-)