3
We are using the Sqldroid to work as a JDBC driver for Android. However, Sqldroid is an envelope for Android API calls, and this API does not deal well with nulls.
So, for us to use PreparedStatements directly we need to bypass all setNull() (or some setString(idx, null) that may occur indirectly, as when the variable is null), the first strategy was to make this check while mounting the query. For example, we have made the following outline for the product search given a textual parameter (and that can occasionally be null if called programmatically):
// String param é um parâmetro
String paramStr = Optional.ofNullable(param).orElse("");
String paramOrNullStr = Optional.ofNullable(param).map(p -> "'" + p + "'").orElse("null");
String query = " SELECT " +
" p.cd_produto, " +
" ov.cd_cliente, " +
" ov.cd_org_venda, " +
" ov.cd_tab_preco " +
" FROM produto p " +
" CROSS JOIN org_venda ov " +
" WHERE " +
" ( " + paramOrNullStr + " IS NULL) OR " +
" ( " +
" p.nm_produto LIKE '%" + paramStr + "%' OR " +
" p.cd_produto LIKE '%" + paramStr + "%' OR " +
" p.cd_referencia LIKE '%" + paramStr + "%' OR " +
" p.cod_barras LIKE '%" + paramStr + "%' " +
" ) ";
But this is counterintuitive and counterproductive. So I started to work on implementing an outline for this. As Android offers the interfaces of JDBC, I opened any project in Java 8 and created a class to extend PreparedStatement. Eclipse created for me the class with a huge list of TODOs and, when I confirmed the operation and put to compile in the Android project, I came across this:
C:\Users\Jefferson Quesado\Documents\geosales-nu\numobile\android\app\src\main\java\com\example\evo_mobile\sqldroid\drive\PstmtNullSafe.java:358: error: method does not override or implement a method from a supertype
@Override
^
C:\Users\Jefferson Quesado\Documents\geosales-nu\numobile\android\app\src\main\java\com\example\evo_mobile\sqldroid\drive\PstmtNullSafe.java:360: error: invalid method reference
putPreparer("closeOnCompletion", PreparedStatement::closeOnCompletion);
^
cannot find symbol
symbol: method closeOnCompletion()
location: interface PreparedStatement
When I went to see, this function appeared in Java 7, next to the isCloseOnCompletion, but did not enter Android (see the definition of Statement)
So, how to make the compatibility of my implementing class PreparedStatement so that it works on Android?
- should worry only about Android and remove these methods?,
- should turn into a proxy and make the directions according to the methods called?,
- or should I simply remove the
@Overrideand leave a false return? (as the Sqldroid did)
Which factors should lead to the decision of the desired strategy?
I don’t know the answer (if I knew, I would post one). However, whatever it is, this SQL injection you left open would be a very bad thing.
– Victor Stafusa
Have you heard of Lombok? If not, this might help you: https://projectlombok.org/features/Delegate.html
– Victor Stafusa
@Victorstafusa, I heard long ago to simplify getters and setters. I’ll give a read on the subject, thanks for the tip
– Jefferson Quesado
In fact, it helps a lot when you have many delegates but few really needed
@Override. How will I create thePreparedStatementreal so Lazy to be able to replace the parameter marks?by stringnullin SQL, I was trying to keep these calls from preparing the statement at the proper time. But in fact, this Lombok alternative is a quick way to intercept some calls and delegate the others– Jefferson Quesado