This example shows how to use EasyORM to retrieve records for a parameterized query. A parameterized query is basically a custom query but it allows parameters be passed as arguments (in a HashMap e.g. :dateStart), rather than being embedded directly in the sql statement. This approach is more secure as far as sql injection attacks are concerned. It is also more flexible in cases where we frequently change the arguments and the query itself remains constant.

Parameterized query example code:


DBSelect dbSelect = new DBSelect();
HashMap<String,Object>hMap=new HashMap<String,Object>();
hMap.put("dateStart", java.sql.Date.valueOf("("2015-05-18");
hMap.put(("dateEnd", java.sql.Date.valueOf("("2015-06-23");
List<EmployeeDB> empList = dbSelect.getRecordsForParamQuery("select * from employee where date(date_added) between :dateStart and :dateEnd",hMap, EmployeeDB.class,0,0,"id");

Note, however, that this approach requires that you pass objects of the appropriate types to the getRecordsForParamQuery method. In the example above, we had to put a java.sql.Date type to the HashMap because date_added is an sql datetime type. If we had used a simple String instead, we would have gotten a runtime exception. Unlike a parameterized query, a custom query can always pass arguments either as strings (e.g '2015-06-23') or numbers (integers, floats etc) because they are always embedded within the query. To increase security, you should consider implementing input sanitation.

Parameterized query example code:

String dept = request.getParameter("deptVal");
DBSelect dbSelect = new DBSelect();
HashMap<String,Object>hMap=new HashMap<String,Object>();
hMap.put("dept", dept);
String query="select * from employee where department = :dept";
List<EmployeeDB> employeeList = dbSelect.getRecordsForParamQuery(query,hMap,EmployeeDB.class, recStart, recCount,"id");


Run this example