thanks much, that was very helpful. On Friday, May 12, 2017 at 9:44:41 AM UTC+3, Lukas Eder wrote: > > Hello, > > First off, a short disclaimer. Be very careful when concatenating things > into SQL strings or SQL string fragments. In this case, the risk is rather > small because there's not really a SQL injection vulnerability possible by > concatenating a timestamp to a string. But if this were a String argument, > you'll open up a vulnerability. jOOQ generally protects users from SQLi, > but when using the plain SQL API, there is still potential to get this > wrong. So, to stay on the safe side, I highly recommend *never* > concatenating user input to SQL strings. > > Here is some further reading: > > - > https://blog.jooq.org/2016/12/05/prevent-sql-injection-with-sql-builders-like-jooq > - > https://blog.jooq.org/2013/11/05/using-sql-injection-vulnerabilities-to-dump-your-database/ > > Now, the best way to solve this, if you would like to continue using plain > SQL would be this: > > create.select() > .from(MY_VIEW) > .where("activation_time >= ?", new Timestamp(activeSinceEpoch)) > .fetchSize(FETCH_SIZE) > .fetchLazy(); > > > Notice how we're now using the where(String, Object...) method: > > https://www.jooq.org/javadoc/latest/org/jooq/SelectWhereStep.html#where-java.lang.String-java.lang.Object...- > > ... rather than the where(String) method: > > https://www.jooq.org/javadoc/latest/org/jooq/SelectWhereStep.html#where-java.lang.String- > > All plain SQL API is overloaded in three versions: > > - *method(String): *This is just accepting a SQL string without any > parameters > - *method(String, Object...):* This allows for passing bind variables to > the SQL String, assuming that the SQL String contains "?" characters > - *method(String, QueryPart...): *This allows for using the plain SQL > templating mechanism > > More information about plain SQL can be found here: > https://www.jooq.org/doc/latest/manual/sql-building/plain-sql > > Hope this helps, > Lukas > > 2017-05-12 0:09 GMT+02:00 <[email protected] <javascript:>>: > >> Hi, I have the following simple scenario. I'm getting an epoch and would >> like to filter the results according to it. >> the following did not work: >> >> create.select().from(MY_VIEW).where("activation_time >= " + new >> Timestamp(activeSinceEpoch)).fetchSize(FETCH_SIZE).fetchLazy(); >> >> >> I would like to avoid calling the TO_TIMESTAMP since this is less convenient >> in Java. How should I get this correctly? >> >> >> Thanks. >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "jOOQ User Group" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > >
-- You received this message because you are subscribed to the Google Groups "jOOQ User Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
