From 0954e9c0c5210b7054c17fb44a23dae8ce3b26f2 Mon Sep 17 00:00:00 2001 From: Daniel Collin Date: Tue, 8 Dec 2015 13:22:33 +0100 Subject: [PATCH] Preventing SQL-injection with PreparedStatement Former-commit-id: 9954c913f528fa40be32b328b3ea1dad8ece8888 --- .classpath | 4 +- .../koc/hal/deamon/DataAggregatorDaemon.java | 114 +++++++++++------- .../hal/deamon/DataSynchronizationClient.java | 22 ++-- .../hal/deamon/DataSynchronizationDaemon.java | 9 +- src/se/koc/hal/page/PCOverviewHttpPage.java | 91 +++++++------- src/se/koc/hal/struct/Sensor.java | 12 +- 6 files changed, 147 insertions(+), 105 deletions(-) diff --git a/.classpath b/.classpath index 0a070b52..bd49a567 100644 --- a/.classpath +++ b/.classpath @@ -2,8 +2,6 @@ - - @@ -23,6 +21,8 @@ + + diff --git a/src/se/koc/hal/deamon/DataAggregatorDaemon.java b/src/se/koc/hal/deamon/DataAggregatorDaemon.java index 18d5bdeb..6cb32c55 100755 --- a/src/se/koc/hal/deamon/DataAggregatorDaemon.java +++ b/src/se/koc/hal/deamon/DataAggregatorDaemon.java @@ -1,11 +1,11 @@ package se.koc.hal.deamon; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.Calendar; import java.util.List; -import java.util.Locale; import java.util.Timer; import java.util.TimerTask; import java.util.logging.Logger; @@ -17,9 +17,6 @@ import zutil.db.SQLResultHandler; import zutil.db.handler.SimpleSQLResult; import zutil.log.LogUtil; -/** - * Created by Ziver on 2015-12-03. - */ public class DataAggregatorDaemon extends TimerTask implements HalDaemon { private static final Logger logger = LogUtil.getLogger(); public static final long FIVE_MINUTES_IN_MS = 5 * 60 * 1000; @@ -49,40 +46,60 @@ public class DataAggregatorDaemon extends TimerTask implements HalDaemon { public void aggregateSensor(long sensorId) { DBConnection db = HalContext.getDB(); + PreparedStatement stmt = null; try { - Long maxDBTimestamp = db.exec("SELECT MAX(timestamp_end) FROM sensor_data_aggr WHERE sensor_id == "+sensorId, new SimpleSQLResult()); + stmt = db.getPreparedStatement("SELECT MAX(timestamp_end) FROM sensor_data_aggr WHERE sensor_id == ?"); + stmt.setLong(1, sensorId); + Long maxDBTimestamp = DBConnection.exec(stmt, new SimpleSQLHandler()); if(maxDBTimestamp == null) maxDBTimestamp = 0l; // 5 minute aggregation long minPeriodTimestamp = getTimestampMinutePeriodStart(5, System.currentTimeMillis()); logger.fine("Calculating 5 min periods... (from:"+ maxDBTimestamp +", to:"+ minPeriodTimestamp +")"); - db.exec("SELECT * FROM sensor_data_raw " - + "WHERE sensor_id == "+sensorId+" AND timestamp > " + maxDBTimestamp + " AND timestamp < " + minPeriodTimestamp - + " ORDER BY timestamp ASC", - new FiveMinuteAggregator()); + stmt = db.getPreparedStatement("SELECT * FROM sensor_data_raw" + +" WHERE sensor_id == ? AND timestamp > ? AND timestamp < ? " + +" ORDER BY timestamp ASC"); + stmt.setLong(1, sensorId); + stmt.setLong(2, maxDBTimestamp); + stmt.setLong(3, minPeriodTimestamp); + DBConnection.exec(stmt, new FiveMinuteAggregator()); // hour aggregation - maxDBTimestamp = db.exec("SELECT MAX(timestamp_end) FROM sensor_data_aggr WHERE sensor_id == "+sensorId+" AND timestamp_end-timestamp_start == " + (HOUR_IN_MS-1), new SimpleSQLResult()); + stmt = db.getPreparedStatement("SELECT MAX(timestamp_end) FROM sensor_data_aggr" + +" WHERE sensor_id == ? AND timestamp_end-timestamp_start == ?"); + stmt.setLong(1, sensorId); + stmt.setLong(2, HOUR_IN_MS-1); + maxDBTimestamp = DBConnection.exec(stmt, new SimpleSQLHandler()); if(maxDBTimestamp == null) maxDBTimestamp = 0l; long hourPeriodTimestamp = getTimestampMinutePeriodStart(60, System.currentTimeMillis()-HOUR_AGGREGATION_OFFSET); logger.fine("Calculating hour periods... (from:"+ maxDBTimestamp +", to:"+ hourPeriodTimestamp +")"); - db.exec("SELECT * FROM sensor_data_aggr " - + "WHERE sensor_id == "+sensorId+" AND " + maxDBTimestamp + " < timestamp_start AND timestamp_start < " + hourPeriodTimestamp + " AND timestamp_end-timestamp_start == " + (FIVE_MINUTES_IN_MS-1) - +" ORDER BY timestamp_start ASC", - new HourAggregator()); + stmt = db.getPreparedStatement("SELECT * FROM sensor_data_aggr" + +" WHERE sensor_id == ? AND ? < timestamp_start AND timestamp_start < ? AND timestamp_end-timestamp_start == ?" + +" ORDER BY timestamp_start ASC"); + stmt.setLong(1, sensorId); + stmt.setLong(2, maxDBTimestamp); + stmt.setLong(3, hourPeriodTimestamp); + stmt.setLong(4, FIVE_MINUTES_IN_MS-1); + DBConnection.exec(stmt, new HourAggregator()); // day aggregation - maxDBTimestamp = db.exec("SELECT MAX(timestamp_end) FROM sensor_data_aggr WHERE sensor_id == "+sensorId+" AND timestamp_end-timestamp_start == " + (DAY_IN_MS-1), new SimpleSQLResult()); + stmt = db.getPreparedStatement("SELECT MAX(timestamp_end) FROM sensor_data_aggr WHERE sensor_id == ? AND timestamp_end-timestamp_start == ?"); + stmt.setLong(1, sensorId); + stmt.setLong(2, DAY_IN_MS-1); + maxDBTimestamp = DBConnection.exec(stmt, new SimpleSQLHandler()); if(maxDBTimestamp == null) maxDBTimestamp = 0l; long dayPeriodTimestamp = getTimestampHourPeriodStart(24, System.currentTimeMillis()-DAY_AGGREGATION_OFFSET); logger.fine("Calculating day periods... (from:"+ maxDBTimestamp +", to:"+ dayPeriodTimestamp +")"); - db.exec("SELECT * FROM sensor_data_aggr " - + "WHERE sensor_id == "+sensorId+" AND " + maxDBTimestamp + " < timestamp_start AND timestamp_start < " + dayPeriodTimestamp + " AND timestamp_end-timestamp_start == " + (HOUR_IN_MS-1) - +" ORDER BY timestamp_start ASC", - new DayAggregator()); - + stmt = db.getPreparedStatement("SELECT * FROM sensor_data_aggr" + +" WHERE sensor_id == ? AND ? < timestamp_start AND timestamp_start < ? AND timestamp_end-timestamp_start == ?" + +" ORDER BY timestamp_start ASC"); + stmt.setLong(1, sensorId); + stmt.setLong(2, maxDBTimestamp); + stmt.setLong(3, dayPeriodTimestamp); + stmt.setLong(4, HOUR_IN_MS-1); + DBConnection.exec(stmt, new DayAggregator()); logger.fine("Done aggregation"); } catch (SQLException e) { @@ -124,13 +141,14 @@ public class DataAggregatorDaemon extends TimerTask implements HalDaemon { if(currentPeriodTimestamp != 0 && periodTimestamp != currentPeriodTimestamp){ float confidence = count / 5f; logger.finer("Calculated minute period: "+ currentPeriodTimestamp +" sum: "+ sum +" confidence: "+ confidence); - HalContext.getDB().exec(String.format(Locale.US, "INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(%d, %d, %d, %d, %d, %f)", - result.getInt("sensor_id"), - Sensor.getHighestSequenceId(result.getInt("sensor_id")) + 1, - currentPeriodTimestamp, - currentPeriodTimestamp + FIVE_MINUTES_IN_MS -1, - sum, - confidence)); + PreparedStatement prepStmt = HalContext.getDB().getPreparedStatement("INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(?, ?, ?, ?, ?, ?)"); + prepStmt.setInt(1, result.getInt("sensor_id")); + prepStmt.setLong(2, Sensor.getHighestSequenceId(result.getInt("sensor_id")) + 1); + prepStmt.setLong(3, currentPeriodTimestamp); + prepStmt.setLong(4, currentPeriodTimestamp + FIVE_MINUTES_IN_MS - 1); + prepStmt.setInt(5, sum); + prepStmt.setFloat(6, confidence); + DBConnection.exec(prepStmt); // Reset variables currentPeriodTimestamp = periodTimestamp; @@ -156,13 +174,14 @@ public class DataAggregatorDaemon extends TimerTask implements HalDaemon { if(currentPeriodTimestamp != 0 && periodTimestamp != currentPeriodTimestamp){ float aggrConfidence = confidenceSum / 12f; logger.finer("Calculated hour period: "+ currentPeriodTimestamp +" sum: "+ sum +" confidence: "+ aggrConfidence); - HalContext.getDB().exec(String.format(Locale.US, "INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(%d, %d, %d, %d, %d, %f)", - result.getInt("sensor_id"), - Sensor.getHighestSequenceId(result.getInt("sensor_id")) + 1, - currentPeriodTimestamp, - currentPeriodTimestamp + HOUR_IN_MS -1, - sum, - aggrConfidence)); + PreparedStatement prepStmt = HalContext.getDB().getPreparedStatement("INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(?, ?, ?, ?, ?, ?)"); + prepStmt.setInt(1, result.getInt("sensor_id")); + prepStmt.setLong(2, Sensor.getHighestSequenceId(result.getInt("sensor_id")) + 1); + prepStmt.setLong(3, currentPeriodTimestamp); + prepStmt.setLong(4, currentPeriodTimestamp + HOUR_IN_MS - 1); + prepStmt.setInt(5, sum); + prepStmt.setFloat(6, aggrConfidence); + DBConnection.exec(prepStmt); // Reset variables currentPeriodTimestamp = periodTimestamp; @@ -173,8 +192,10 @@ public class DataAggregatorDaemon extends TimerTask implements HalDaemon { confidenceSum += result.getFloat("confidence"); //TODO: SHould not be here! - HalContext.getDB().exec("DELETE FROM sensor_data_aggr " - + "WHERE sensor_id == "+ result.getInt("sensor_id") +" AND sequence_id == "+ result.getInt("sequence_id")); + PreparedStatement prepStmt = HalContext.getDB().getPreparedStatement("DELETE FROM sensor_data_aggr WHERE sensor_id == ? AND sequence_id == ?"); + prepStmt.setInt(1, result.getInt("sensor_id")); + prepStmt.setInt(2, result.getInt("sequence_id")); + DBConnection.exec(prepStmt); } return null; } @@ -193,13 +214,14 @@ public class DataAggregatorDaemon extends TimerTask implements HalDaemon { if(currentPeriodTimestamp != 0 && periodTimestamp != currentPeriodTimestamp){ float aggrConfidence = confidenceSum / 24f; logger.finer("Calculated day period: "+ currentPeriodTimestamp +" sum: "+ sum +" confidence: "+ aggrConfidence+ " samples: " + samples); - HalContext.getDB().exec(String.format(Locale.US, "INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(%d, %d, %d, %d, %d, %f)", - result.getInt("sensor_id"), - Sensor.getHighestSequenceId(result.getInt("sensor_id")) + 1, - currentPeriodTimestamp, - currentPeriodTimestamp + DAY_IN_MS -1, - sum, - aggrConfidence)); + PreparedStatement prepStmt = HalContext.getDB().getPreparedStatement("INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(?, ?, ?, ?, ?, ?)"); + prepStmt.setInt(1, result.getInt("sensor_id")); + prepStmt.setLong(2, Sensor.getHighestSequenceId(result.getInt("sensor_id")) + 1); + prepStmt.setLong(3, currentPeriodTimestamp); + prepStmt.setLong(4, currentPeriodTimestamp + DAY_IN_MS - 1); + prepStmt.setInt(5, sum); + prepStmt.setFloat(6, aggrConfidence); + DBConnection.exec(prepStmt); // Reset variables currentPeriodTimestamp = periodTimestamp; @@ -212,8 +234,10 @@ public class DataAggregatorDaemon extends TimerTask implements HalDaemon { samples++; //TODO: SHould not be here! - HalContext.getDB().exec("DELETE FROM sensor_data_aggr " - + "WHERE sensor_id == "+ result.getInt("sensor_id") +" AND sequence_id == "+ result.getInt("sequence_id")); + PreparedStatement prepStmt = HalContext.getDB().getPreparedStatement("DELETE FROM sensor_data_aggr WHERE sensor_id == ? AND sequence_id == ?"); + prepStmt.setInt(1, result.getInt("sensor_id")); + prepStmt.setInt(2, result.getInt("sequence_id")); + DBConnection.exec(prepStmt); } return null; } diff --git a/src/se/koc/hal/deamon/DataSynchronizationClient.java b/src/se/koc/hal/deamon/DataSynchronizationClient.java index 13db31d2..0e3315b3 100755 --- a/src/se/koc/hal/deamon/DataSynchronizationClient.java +++ b/src/se/koc/hal/deamon/DataSynchronizationClient.java @@ -6,6 +6,7 @@ import java.io.ObjectOutputStream; import java.io.Serializable; import java.net.Socket; import java.net.UnknownHostException; +import java.sql.PreparedStatement; import java.sql.SQLException; import java.util.List; import java.util.Locale; @@ -55,16 +56,21 @@ public class DataSynchronizationClient extends TimerTask implements HalDaemon{ SensorDataListDTO dataList = (SensorDataListDTO) in.readObject(); for(SensorDataDTO data : dataList){ - int deletions = db.exec("DELETE FROM sensor_data_aggr WHERE sensor_id == "+ sensor.getId() +" AND "+ data.timestampStart +" <= timestamp_start AND timestamp_end <= "+ data.timestampEnd); + PreparedStatement stmt = db.getPreparedStatement("DELETE FROM sensor_data_aggr WHERE sensor_id == ? AND ? <= timestamp_start AND timestamp_end <= ?"); + stmt.setLong(1, sensor.getId()); + stmt.setLong(2, data.timestampStart); + stmt.setLong(3, data.timestampEnd); + int deletions = DBConnection.exec(stmt); if(deletions > 0) logger.finer("Aggregate data replaced "+ deletions +" entries"); - db.exec(String.format(Locale.US, "INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(%d, %d, %d, %d, %d, %f)", - sensor.getId(), - data.sequenceId, - data.timestampStart, - data.timestampEnd, - data.data, - data.confidence)); + stmt = db.getPreparedStatement("INSERT INTO sensor_data_aggr(sensor_id, sequence_id, timestamp_start, timestamp_end, data, confidence) VALUES(?, ?, ?, ?, ?, ?)"); + stmt.setLong(1, sensor.getId()); + stmt.setLong(2, data.sequenceId); + stmt.setLong(3, data.timestampStart); + stmt.setLong(4, data.timestampEnd); + stmt.setInt(5, data.data); + stmt.setFloat(6, data.confidence); + DBConnection.exec(stmt); } logger.fine("Stored " + dataList.size() + " entries for sensor " + sensor.getId() + " from " + user.getName()); } diff --git a/src/se/koc/hal/deamon/DataSynchronizationDaemon.java b/src/se/koc/hal/deamon/DataSynchronizationDaemon.java index be469917..b8f78aaa 100755 --- a/src/se/koc/hal/deamon/DataSynchronizationDaemon.java +++ b/src/se/koc/hal/deamon/DataSynchronizationDaemon.java @@ -5,6 +5,7 @@ import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.Serializable; import java.net.Socket; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -14,6 +15,7 @@ import java.util.logging.Logger; import se.koc.hal.HalContext; import se.koc.hal.deamon.DataSynchronizationClient.PeerDataReqDTO; +import zutil.db.DBConnection; import zutil.db.SQLResultHandler; import zutil.log.LogUtil; import zutil.net.threaded.ThreadedTCPNetworkServer; @@ -66,9 +68,10 @@ public class DataSynchronizationDaemon extends ThreadedTCPNetworkServer implemen while((obj = in.readObject()) != null){ if(obj instanceof PeerDataReqDTO){ PeerDataReqDTO req = (PeerDataReqDTO) obj; - - SensorDataListDTO list = HalContext.getDB().exec("SELECT * FROM sensor_data_aggr WHERE sensor_id == "+ req.sensorId +" AND sequence_id > "+ req.offsetSequenceId, - new SQLResultHandler() { + PreparedStatement stmt = HalContext.getDB().getPreparedStatement("SELECT * FROM sensor_data_aggr WHERE sensor_id == ? AND sequence_id > ?"); + stmt.setLong(1, req.sensorId); + stmt.setLong(2, req.offsetSequenceId); + SensorDataListDTO list = DBConnection.exec(stmt, new SQLResultHandler() { @Override public SensorDataListDTO handleQueryResult(Statement stmt, ResultSet result) throws SQLException { SensorDataListDTO list = new SensorDataListDTO(); diff --git a/src/se/koc/hal/page/PCOverviewHttpPage.java b/src/se/koc/hal/page/PCOverviewHttpPage.java index 962a6e50..334e877d 100755 --- a/src/se/koc/hal/page/PCOverviewHttpPage.java +++ b/src/se/koc/hal/page/PCOverviewHttpPage.java @@ -1,6 +1,7 @@ package se.koc.hal.page; import java.io.IOException; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -24,47 +25,55 @@ public class PCOverviewHttpPage implements HttpPage { try { DBConnection db = HalContext.getDB(); - ArrayList minDataList = db.exec( - "SELECT user.username as username," - + " sensor_data_aggr.timestamp_start as timestamp_start," - + " sensor_data_aggr.timestamp_end as timestamp_end," - + " sensor_data_aggr.data as data," - + " sensor_data_aggr.confidence as confidence," - + DataAggregatorDaemon.FIVE_MINUTES_IN_MS + " as period_length" - + " FROM sensor_data_aggr, user, sensor" - + " WHERE sensor.id = sensor_data_aggr.sensor_id" - + " AND user.id = sensor.user_id" - + " AND timestamp_end-timestamp_start == " + (DataAggregatorDaemon.FIVE_MINUTES_IN_MS-1) - + " AND timestamp_start > " + (System.currentTimeMillis() - DataAggregatorDaemon.DAY_IN_MS) - + " ORDER BY timestamp_start ASC", - new SQLPowerDataBuilder()); - ArrayList hourDataList = db.exec( - "SELECT user.username as username," - + " sensor_data_aggr.timestamp_start as timestamp_start," - + " sensor_data_aggr.timestamp_end as timestamp_end," - + " sensor_data_aggr.data as data," - + " sensor_data_aggr.confidence as confidence," - + DataAggregatorDaemon.HOUR_IN_MS + " as period_length" - + " FROM sensor_data_aggr, user, sensor" - + " WHERE sensor.id = sensor_data_aggr.sensor_id" - + " AND user.id = sensor.user_id" - + " AND timestamp_end-timestamp_start == " + (DataAggregatorDaemon.HOUR_IN_MS-1) - + " AND timestamp_start > " + (System.currentTimeMillis() - 3*DataAggregatorDaemon.DAY_IN_MS) - + " ORDER BY timestamp_start ASC", - new SQLPowerDataBuilder()); - ArrayList dayDataList = db.exec( - "SELECT user.username as username," - + " sensor_data_aggr.timestamp_start as timestamp_start," - + " sensor_data_aggr.timestamp_end as timestamp_end," - + " sensor_data_aggr.data as data," - + " sensor_data_aggr.confidence as confidence," - + DataAggregatorDaemon.DAY_IN_MS + " as period_length" - + " FROM sensor_data_aggr, user, sensor" - + " WHERE sensor.id = sensor_data_aggr.sensor_id" - + " AND user.id = sensor.user_id" - + " AND timestamp_end-timestamp_start == " + (DataAggregatorDaemon.DAY_IN_MS-1) - + " ORDER BY timestamp_start ASC", - new SQLPowerDataBuilder()); + + PreparedStatement stmt = db.getPreparedStatement( + "SELECT user.username as username," + + " sensor_data_aggr.timestamp_start as timestamp_start," + + " sensor_data_aggr.timestamp_end as timestamp_end," + + " sensor_data_aggr.data as data," + + " sensor_data_aggr.confidence as confidence," + + DataAggregatorDaemon.FIVE_MINUTES_IN_MS + " as period_length" + + " FROM sensor_data_aggr, user, sensor" + + " WHERE sensor.id = sensor_data_aggr.sensor_id" + + " AND user.id = sensor.user_id" + + " AND timestamp_end-timestamp_start == ?" + + " AND timestamp_start > ?" + + " ORDER BY timestamp_start ASC"); + stmt.setLong(1, DataAggregatorDaemon.FIVE_MINUTES_IN_MS-1); + stmt.setLong(2, (System.currentTimeMillis() - DataAggregatorDaemon.DAY_IN_MS) ); + ArrayList minDataList = DBConnection.exec(stmt , new SQLPowerDataBuilder()); + + stmt = db.getPreparedStatement( + "SELECT user.username as username," + + " sensor_data_aggr.timestamp_start as timestamp_start," + + " sensor_data_aggr.timestamp_end as timestamp_end," + + " sensor_data_aggr.data as data," + + " sensor_data_aggr.confidence as confidence," + + DataAggregatorDaemon.HOUR_IN_MS + " as period_length" + + " FROM sensor_data_aggr, user, sensor" + + " WHERE sensor.id = sensor_data_aggr.sensor_id" + + " AND user.id = sensor.user_id" + + " AND timestamp_end-timestamp_start == ?" + + " AND timestamp_start > ?" + + " ORDER BY timestamp_start ASC"); + stmt.setLong(1, DataAggregatorDaemon.HOUR_IN_MS-1); + stmt.setLong(2, (System.currentTimeMillis() - 3*DataAggregatorDaemon.DAY_IN_MS) ); + ArrayList hourDataList = DBConnection.exec(stmt, new SQLPowerDataBuilder()); + + stmt = db.getPreparedStatement( + "SELECT user.username as username," + + " sensor_data_aggr.timestamp_start as timestamp_start," + + " sensor_data_aggr.timestamp_end as timestamp_end," + + " sensor_data_aggr.data as data," + + " sensor_data_aggr.confidence as confidence," + + DataAggregatorDaemon.DAY_IN_MS + " as period_length" + + " FROM sensor_data_aggr, user, sensor" + + " WHERE sensor.id = sensor_data_aggr.sensor_id" + + " AND user.id = sensor.user_id" + + " AND timestamp_end-timestamp_start == ?" + + " ORDER BY timestamp_start ASC"); + stmt.setLong(1, DataAggregatorDaemon.DAY_IN_MS-1); + ArrayList dayDataList = DBConnection.exec(stmt, new SQLPowerDataBuilder()); Templator tmpl = new Templator(FileUtil.find("web-resource/index.html")); diff --git a/src/se/koc/hal/struct/Sensor.java b/src/se/koc/hal/struct/Sensor.java index f8e4fc16..9537a4e5 100755 --- a/src/se/koc/hal/struct/Sensor.java +++ b/src/se/koc/hal/struct/Sensor.java @@ -10,9 +10,6 @@ import zutil.db.bean.DBBean; import zutil.db.bean.DBBeanSQLResultHandler; import zutil.db.handler.SimpleSQLResult; -/** - * Created by Ziver on 2015-12-03. - */ @DBBean.DBTable("sensor") public class Sensor extends DBBean{ private String name; @@ -33,14 +30,17 @@ public class Sensor extends DBBean{ } public static List getSensors(DBConnection db, User user) throws SQLException{ - PreparedStatement stmt = db.getPreparedStatement( "SELECT * FROM sensor WHERE user_id == " + user.getId() ); + PreparedStatement stmt = db.getPreparedStatement( "SELECT * FROM sensor WHERE user_id == ?" ); + stmt.setLong(1, user.getId()); return DBConnection.exec(stmt, DBBeanSQLResultHandler.createList(Sensor.class, db) ); } public static long getHighestSequenceId(long sensorId) throws SQLException{ - Integer id = HalContext.getDB().exec("SELECT MAX(sequence_id) FROM sensor_data_aggr WHERE sensor_id == "+ sensorId, new SimpleSQLResult()); - return (id != null ? id+1 : 1); + PreparedStatement stmt = HalContext.getDB().getPreparedStatement("SELECT MAX(sequence_id) FROM sensor_data_aggr WHERE sensor_id == ?"); + stmt.setLong(1, sensorId); + Integer id = DBConnection.exec(stmt, new SimpleSQLHandler()); + return (id != null ? id+1 : 1); }