0

I have an API built with spring-boot. The request sends JSON to the end point which build a request object. The request object sends its list of Product objects to a method to update the productDimensions object within the Product.

In order to get the dimensions I send the Sku string and Size string to a class called ProductRepository which is setup with jdbcTemplate (i think)

the method doesn't fail but the SqlRowSet returns with 0 rows and I cannot figure it out. Please note that Java isn't my main language so I'm a bit confused.

I've tried https://spring.io/guides/gs/relational-data-access/ and several other SO links 

public class ProductRepository {
    @Autowired
    JdbcTemplate jdbcTemplate;
    public SqlRowSet findBySkuSize(String sku, String size) {
        return jdbcTemplate.queryForRowSet("SELECT * from PRODUCT_DIMENSIONS where SKU = '" + sku + "' and SIZE = '" + size + "'");
    }
}

and this is what I am doing to call the ProductRepository

private ProductRepository productRepository;
//constructor
public FreightCalculationService(ProductRepository productRepository) 
{
    this.productRepository = productRepository;
}
private Obj Method(params){
  Obj obj = new Obj()
  SqlRowSet dataRows = productRepository.findBySkuSize(params);

I expect the data from my H2 database to appear as a row in my SqlResultSet but when I check, there are 0 totalRows..

Edit: My jdbcTemplate is populated and I've cleaned up the code a little bit.

jdbcTemplatePropertys

Edit: When I look at the SqlRowSet object in debugger, here is what I see to know that it's not working [![enter image description here][2]][2] No errors were thrown in the debug console.

[![[2]: https://i.stack.imgur.com/sSen0.png][2]][2]

So it looks like there's an issue with the Sql statement, when I change my query to SELECT * FROM PRODUCT_DIMENSIONS i get 4 rows, however when I try the method susceptible to sql injection, I don't get anything, could this be because of the way Java concatenates strings? Any who I am going to look into prepared statements to see if there is a way around it.

boo
  • 129
  • 1
  • 4
  • 12
  • 1
    `try` block without `catch` is pointless. Are you sure there is no exception? The table name with `[` and `]` is confusing. – Karol Dowbecki Jan 11 '19 at 22:11
  • Given `ProductRepository` has no `@Component` (or `@Service`, or `@Repository`) annotation, are you sure the `jdbcTemplate` variable is populated, if you made the same mistake in `FreightCalculationService`, then maybe its `productRepository` isn't set either. That could explain the NPE. Consider posting a [mcve]. Also, please learn about using prepared statements. Your current code is unsafe as it is vulnerable to SQL injection. – Mark Rotteveel Jan 14 '19 at 19:37
  • I did have the @Repository annotation on ProductRepository, I also just checked my jdbcTemplate object and it is populated as in VSCode I can see that the jdbcUrl is the same as my H2 url, however I did notice the datasource property was null, could that be a problem? – boo Jan 15 '19 at 14:23

0 Answers0