Course All lectures for JV purposes - Lecture: Panjaluk karo paramèter

4.1 Parameter kanggo panjalukan

Hibernate ngidini sampeyan ngirim parameter menyang pitakon. Mangkono, kabeh nggarap pitakon lan database disederhanakake.

Arang banget nemokake pitakon sing ora bisa diganti. Ing wiwitan, misale jek sampeyan mung kudu ngasilake dhaptar barang saka database. Banjur ternyata sampeyan butuh dhaptar produk sing paling anyar kanggo pangguna tartamtu ing tanggal tartamtu. Diurutake miturut kolom sing dibutuhake, lan durung kabeh dhaptar, nanging kaca tartamtu: contone, produk saka 21 nganti 30.

Lan iki persis apa sing diatasi pitakon parameter. Sampeyan nulis pitakon ing HQL, banjur ngganti nilai sing bisa diganti karo "jeneng khusus" - paramèter. Banjur kanthi kapisah nalika nglakokake panyuwunan, sampeyan bisa ngliwati nilai paramèter kasebut.

Ayo nulis pitakon HQL sing bakal ngasilake kabeh tugas kanggo pangguna kanthi jeneng tartamtu:

from EmployeeTask where employee.name = "Ivan Ivanovich"

Saiki ayo ngganti jeneng kanthi parameter:

from EmployeeTask where employee.name = :username

Lan iki carane kode Java kanggo nemokake tugas bakal katon kaya:


String hql = "from EmployeeTask where employee.name = :username";
Query<EmployeeTask> query = session.createQuery( hql, EmployeeTask.class);
query.setParameter("username", "Ivan Ivanovich");
List<EmployeeTask> resultLIst = query.list();

Uga, tinimbang jeneng parameter, sampeyan bisa nggunakake mung nomer:


String hql = "from EmployeeTask where employee.name = :1";
Query<EmployeeTask> query = session.createQuery( hql, EmployeeTask.class);
query.setParameter(1, "Ivan Ivanovich");
List<EmployeeTask> resultLIst = query.list();

Sanajan luwih apik, mesthi, nggunakake jeneng kasebut - luwih gampang maca lan njaga kode kasebut.

4.2 metode setParameterList().

Ana uga kasus nalika nilai parameter ora siji, nanging makili dhaptar obyek. Contone, kita pengin mriksa manawa profesi karyawan ana ing dhaptar tartamtu.

Kepiye carane bisa ditindakake:


String hql = "from EmployeeTask where occupation IN (:occupation_list)";
Query<EmployeeTask> query = session.createQuery( hql, EmployeeTask.class);
query.setParameterList("occupation_list", new String[] {"Programmer", "Tester"});
List<EmployeeTask> resultLIst = query.list();

4 jinis dhaptar bisa dilewati minangka nilai parameter:

array obyek: Obyek []
koleksi: Koleksi
array diketik: T[]
koleksi diketik: Koleksi<T>

Yen sampeyan arep kanggo pass koleksi diketik utawa array, sampeyan kudu pass jinis data minangka parameter katelu. Tuladha:


String hql = "from EmployeeTask where occupation IN (:occupation_list)";
Query<EmployeeTask> query = session.createQuery( hql, EmployeeTask.class);
query.setParameterList("occupation_list", new String[] {"Programmer", "Tester"}, String.class);
List<EmployeeTask> resultLIst = query.list();

Nalika nggarap parameter dhaptar, sampeyan uga bisa nggunakake nomer tinimbang jeneng parameter. Nanging maneh, jeneng luwih trep.

4.3 Pangreksan marang SQL Injection

Salah sawijining tujuan paramèter sing paling penting yaiku kanggo nglindhungi database saka injeksi SQL. Akeh programer pemula, tinimbang nggunakake paramèter, mung bakal nggabungake senar saka sawetara bagean.

Tinimbang nulis kaya iki:


String hql = "from EmployeeTask where employee.name = :username";
Query<EmployeeTask> query = session.createQuery( hql, EmployeeTask.class);
query.setParameter("username", "Ivan Ivanovich");
List<EmployeeTask> resultLIst = query.list();

Bakal nulis kaya iki:


String hql = "from EmployeeTask where employee.name = " + "Ivan Ivanovich";
Query<EmployeeTask> query = session.createQuery( hql, EmployeeTask.class);
List<EmployeeTask> resultLIst = query.list();

Aja ngono!Aja kelet bebarengan query SQL/HQL saka macem-macem bagean. Amarga cepet utawa mengko jeneng pangguna bakal teka saka klien. Lan hacker ala bakal menehi senar kaya""Ivan"; DROP TABLE user;"

Banjur pitakon sampeyan menyang database bakal njupuk formulir:


from EmployeeTask where employee.name = "Ivan"; DROP TABLE user;

Lan isih apik yen data sampeyan mung dibusak. Sampeyan uga bisa nulis kaya iki:


from EmployeeTask where employee.name = "Ivan";
UPDATE user SET password = '1' WHERE user.role = 'admin'

Utawa kaya iki:


from EmployeeTask where employee.name = "Ivan";
UPDATE user SET role = 'admin' WHERE user.id = 123;