How to concat two strings in JPQL with MS SQL - jpa

I am trying to update a column (in an MS SQL table) which holds very long strings (text data type) appending it with a string from my application using JPQL. But the following query fails:
UPDATE entity e SET e.longText = CONCAT(e.longText, :textToAppend) WHERE e.id = :id
with message
The data types text and nvarchar are incompatible in the add operator.
The problem is that we need to also support other DBS than MS SQL database and DBS-specific queries are out of question (at least if there is another way).
With this query I was trying to bypass querying for the whole long text and concatenating it in the app and updating it back, so it's not slow (the query is called quite often).
Can I somehow append a string to a very long text column without doing it manually in the app and so it works in MS SQL? (I know there is no cast support in JPQL, sadly)
Using JPA with Hibernate.

It turned out I was using old hibernate dialect. There is a dialect for SQL Server 2008 (org.hibernate.dialect.SQLServer2008Dialect) which maps #Lob String properties correctly.

Related

How can I prevent SQL injection with arbitrary JSONB query string provided by an external client?

I have a basic REST service backed by a PostgreSQL database with a table with various columns, one of which is a JSONB column that contains arbitrary data. Clients can store data filling in the fixed columns and provide any JSON as opaque data that is stored in the JSONB column.
I want to allow the client to query the database with constraints on both the fixed columns and the JSONB. It is easy to translate some query parameters like ?field=value and convert that into a parameterized SQL query for the fixed columns, but I want to add an arbitrary JSONB query to the SQL as well.
This JSONB query string could contain SQL injection, how can I prevent this? I think that because the structure of the JSONB data is arbitrary I can't use a parameterized query for this purpose. All the documentation I can find suggests I use parameterized queries, and I can't find any useful information on how to actually sanitize the query string itself, which seems like my only option.
For example a similar question is:
How to prevent SQL Injection in PostgreSQL JSON/JSONB field?
But I can't apply the same solution as I don't know the structure of the JSONB or the query, I can't assume the client wants to query a particular path using a particular operator, the entire JSONB query needs to be freely provided by the client.
I'm using golang, in case there are any existing libraries or code fragments that I can use.
edit: some example queries on the JSONB that the client might do:
(content->>'company') is NULL
(content->>'income')::numeric>80000
content->'company'->>'name'='EA' AND (content->>'income')::numeric>80000
content->'assets'#>'[{"kind":"car"}]'
(content->>'DOB')::TIMESTAMP<'2000-01-30T10:12:18.120Z'::TIMESTAMP
EXISTS (SELECT FROM jsonb_array_elements(content->'assets') asset WHERE (asset->>'value')::numeric > 100000)
Note that these don't cover all possible types of queries. Ideally I want any query that PostgreSQL supports on the JSONB data to be allowed. I just want to check the query to ensure it doesn't contain sql injection. For example, a simplistic and probably inadequate solution would be to not allow any ";" in the query string.
You could allow the users to specify a path within the JSON document, and then parameterize that path within a call to a function like json_extract_path_text. That is, the WHERE clause would look like:
WHERE json_extract_path_text(data, $1) = $2
The path argument is just a string, easily parameterized, which describes the keys to traverse down to the given value, e.g. 'foo.bars[0].name'. The right-hand side of the clause would be parameterized along the same rules as you're using for fixed column filtering.

EF SQL WHERE using LOWER() conversion for string comparison

My application is using Entity Framework over a SQL Azure Database.
It has a feature that allows the the user to search for records based on a given phone number. The table being searched has many columns, including 3 columns for phone numbers: a BusinessPhone, a HomePhone and a CellPhone column. All three of these columns are indexed.
My EF DbContext is generating the following as part of the WHERE clause:
WHERE (10 = [Extent1].[Debtor_DebtorStatus]) AND
(((LOWER([Extent1].[BusinessPhone])) = (LOWER(N'012345678')))
OR ((LOWER([Extent1].[HomePhone])) = (LOWER(N'012345678')))
OR ((LOWER([Extent1].[CellPhone])) = (LOWER(N'012348678')))
)
The query is taking about 3 minutes to return a response (even when I run it in SQL Management Studio).
If I edit this SQL statement and remove the LOWER() function, then it executes in less than a second!!!
Is there some setting I can flick to make EntityFramework NOT use the LOWER() function in the generated SQL statement?
Of if that is not possible, is there a way I can intercept this SQL statement and remove the LOWER() functions in code before execution on the database?

Entity Framework: Convert.ToDecimal not supported, any ideas? EF gives an error

I have been doing queries in EF and everything working great but now i have in the db 2 fields that are actually CHAR.. They hold a date but in the form of a number, in SQL Management Studio i can do date1 >= date2 for example and i can also check to see if a number i have falls in between these 2 dates.
Its nothing unusual, but basically a field that represents a date (the number grows as the date does)...
Now in EF when i try to do >= it states you can't do this on a string, ok understand its c# so i tried doing Convert.ToDecimal(date1) but it gives me an error saying that its not supported.
I have no option of changing the db fields, they are set in stone :-(
the way i got it to work was request of details and do a .ToList and then use the .ToDecimal and it works but of course this is doing it in memory! and this defeats the object of EF i.e. for example adding to the query using iqueryable.
Another way i got it to work was to pass the SQL query to SqlQuery of the dbcontext but again i lose a lot of ef functionality.
Can anyone help?
I am really stuck
As you say that you tried >= I assume that it would work for you if you could do that in plain SQL. And that is possible by doing
String.Compare(date1, date2) >= 0
EF is smart enough to translate that into a >= operator.
The advantage is that you do not need to compare converted values, so indexes can be used in execution plans.
First of all, you can at least enable deferred execution of the query by using AsEnumerable() instead of ToList(). This won't change the fact that the database would need to return all the records when you do in fact execute the query, however.
To let the database perform the filtering, you need your query to be compatible with SQL. Since you can't do ToDecimal() in SQL, you need to work with strings directly by converting your myvar to a string that is in the same format as dateStart and dateEnd, then form your query.

How to optimize generic SQL to retrieve DDL information

I have a generic code that is used to retrieve DDL information from a Firebird database (FB2.1). It generates SQL code like
SELECT * FROM MyTable where 'c' <> 'c'
I cannot change this code. Actually, if that matters, it is inside Report Builder 10.
The fact is that some tables from my database are becoming a litle too populated (>1M records) and that query is starting to take too long to execute.
If I try to execute
SELECT * FROM MyTable where SomeIndexedField = SomeImpossibleValue
it will obviously use that index and run very quickly.
Well, it wouldn´t be that hard to the database find out that that is an impossible matcher and make some sort of optimization and avoid testing it against each row.
Is there any way to make my firebird database to optimize that search?
As the filter condition is a negative proposition (and also doesn't refer a column to search, but only a value to compare to another value), Firebird need to do a full table scan (without use any index) to confirm that aren't any record that meet your criteria.
If you can't change you need to wait for the upcoming 3.0 version, that will implement the Boolean data type, and therefore should start to evaluate "constant" fake comparisons in advance (maybe the client library will do this evaluation before send the statement to the server?).

Full text + spatial search with Entity Framework 4

Let's say I have a SQL 2005 database with a table called Restaurants. The Restaurants table has the following columns:
RestaurantId
Name
Latitude
Longitude
I want to let users search for restaurants by name and/or address. How do I write the LINQ query to support this? I need to be able to support the possibility that the user doesn't enter in a name or address, just the name, just the address, or both name and address.
My initial idea was to write a stored procedure to calculate the distance between two lat/long pairs and a table value function for calling FREETEXTTABLE and using some conditional Join calls on my query. However, it appears that Entity Framework 4 doesn't support table value functions.
You certainly can write a proc which returns entity types. Indeed, in EF 1 that was the only option for procs. The proc returns a set of values, not a table, but I can't see that you actually need this.
You can also do free-form T-SQL in EF 4 using Context.ExecuteStoreQuery.
You cannot write any LINQ that supports geospatial queries at this point of time - be it EF or LinqToSql. This is because there is no LINQ syntax which can handle the special ST<whatever> spatial syntax that exists in SQL Server 2008. (eg. STIntersects(..))
You will need to write a Stored Procedure which you can then get access to via EF.
If you wish to return a Sql GEOGRAPHY field in a result, you will need to return a VARBINARY(MAX) i think as the equivalent field type for the C# code.
Hope This Helps.