groovy.sql.Sql.asSql In Groovy SQL 请不要在动态表达式周围使用引号
groovy.sql.Sql.asSql In Groovy SQL please do not use quotes around dynamic expressions
我在 Grails 中有一个这样的查询:
def strQuery = """select date_trunc('${type}', range) as range, sum(total_count) as total_count from connector_message_statistic
where range >= '${startDate}' and range < '${endDate}'
group by date_trunc('${type}', range)
order by 1 asc;"""
我在 catalina 日志中有这个警告:
groovy.sql.Sql.asSql In Groovy SQL please do not use quotes around dynamic expressions (which start with $) as this means we cannot use a JDBC PreparedStatement and so is a security hole. Groovy has worked around your mistake but the security hole is still there. The expression so far is: select date_trunc('?', range) as range, is_internal,direction, sum(total_count) as total_count, sum(total_message_size) as total_message_size
我该如何摆脱它?问题是动态 date_trunc 参数。
当我尝试这样的事情时:
select date_trunc(:type, range) ....... group by date_trunc(:type, range)
sql.eachRow(strQuery, type: type)
然后我得到这个异常:
ERROR: column "connector_message_statistic.range" must appear in the GROUP BY clause or be used in an aggregate function Position: 23
如何重写这样的查询以避免这些警告?
通常您应该使用参数化查询而不是像您这样的查询。这样 Hibernate 或 Groovy SQL 可以根据参数的类型正确地装箱。
我会这样查询:
def result = SomeDomain.executeQuery( 'select date_trunc(:type, range) as range, sum(total_count) as total_count from connector_message_statistic
where range >= :startDate and range < :endDate
group by date_trunc( :type, range)
order by 1 asc", [ type:type, startDate:startDate, endDate:endDate ] )
您也可以使用 positional 参数:
def result = SomeDomain.executeQuery( 'select date_trunc(?, range) as range, sum(total_count) as total_count from connector_message_statistic
where range >= ? and range < ?
group by date_trunc( ?, range)
order by 1 asc", [ type, startDate, endDate, type ] )
injecteer 的评论帮助了我,这段代码现在可以工作了:
strQuery = """select date_trunc(:type, range) as rangenew, is_internal,direction, sum(total_count) as total_count, sum(total_message_size) as total_message_size
from connector_message_statistic
where range >= :startDate::timestamp and range < :endDate::timestamp
group by rangenew, is_internal,direction
order by 1 asc;"""
sql.eachRow(strQuery, [type: type, startDate: startDate, endDate: endDate]
我重命名了date_trunc中的字段名,并在group by子句中添加了字段
我在 Grails 中有一个这样的查询:
def strQuery = """select date_trunc('${type}', range) as range, sum(total_count) as total_count from connector_message_statistic
where range >= '${startDate}' and range < '${endDate}'
group by date_trunc('${type}', range)
order by 1 asc;"""
我在 catalina 日志中有这个警告:
groovy.sql.Sql.asSql In Groovy SQL please do not use quotes around dynamic expressions (which start with $) as this means we cannot use a JDBC PreparedStatement and so is a security hole. Groovy has worked around your mistake but the security hole is still there. The expression so far is: select date_trunc('?', range) as range, is_internal,direction, sum(total_count) as total_count, sum(total_message_size) as total_message_size
我该如何摆脱它?问题是动态 date_trunc 参数。 当我尝试这样的事情时:
select date_trunc(:type, range) ....... group by date_trunc(:type, range)
sql.eachRow(strQuery, type: type)
然后我得到这个异常:
ERROR: column "connector_message_statistic.range" must appear in the GROUP BY clause or be used in an aggregate function Position: 23
如何重写这样的查询以避免这些警告?
通常您应该使用参数化查询而不是像您这样的查询。这样 Hibernate 或 Groovy SQL 可以根据参数的类型正确地装箱。
我会这样查询:
def result = SomeDomain.executeQuery( 'select date_trunc(:type, range) as range, sum(total_count) as total_count from connector_message_statistic
where range >= :startDate and range < :endDate
group by date_trunc( :type, range)
order by 1 asc", [ type:type, startDate:startDate, endDate:endDate ] )
您也可以使用 positional 参数:
def result = SomeDomain.executeQuery( 'select date_trunc(?, range) as range, sum(total_count) as total_count from connector_message_statistic
where range >= ? and range < ?
group by date_trunc( ?, range)
order by 1 asc", [ type, startDate, endDate, type ] )
injecteer 的评论帮助了我,这段代码现在可以工作了:
strQuery = """select date_trunc(:type, range) as rangenew, is_internal,direction, sum(total_count) as total_count, sum(total_message_size) as total_message_size
from connector_message_statistic
where range >= :startDate::timestamp and range < :endDate::timestamp
group by rangenew, is_internal,direction
order by 1 asc;"""
sql.eachRow(strQuery, [type: type, startDate: startDate, endDate: endDate]
我重命名了date_trunc中的字段名,并在group by子句中添加了字段