在休眠状态下在查询字符串中动态添加表名称
[英]Adding a table name in query string dynamically in hibernate
问题描述
I am trying to add table name dynamically in my query which returns List<object[]> as return type 
我试图在我的查询中动态添加表名,该查询返回List<object[]>作为返回类型
I am currently appending the table name inside the query I don't think that's the optimal solution .Is there any other solution better than this? 我目前正在将表名称附加在查询中,我认为这不是最佳解决方案。还有其他解决方案吗?
public List<Object[]> getResult(String tableName){
try {
Session session = currentSession();
Query query = session.createSQLQuery("select * from "+tableName);
return query.list();
} catch (Exception e) {
e.printStackTrace();
throw e;
} finally {
closeSession();
}
}
2 个解决方案
解决方案1
1 2019-07-31 11:58:14
How about doing it the other way around? 反过来呢? Instead of giving a table name and getting corresponding type, give a corresponding type and let code figure out table name. 与其给出一个表名并获得对应的类型,不如给出一个对应的类型并让代码找出表名。
public <T> List<T[]> getResult(Class<T> type){
try {
Session session = currentSession();
Query query = session.createSQLQuery("select * from " + type.getName() + "s");
ArrayList<T> result = new ArrayList();
for(Object o : query.list())
result.add((T) o);
return result;
} catch (Exception e) {
e.printStackTrace();
throw e;
} finally {
closeSession();
}
}
type is class used to represent records in the table. type是用于表示表中记录的类。 This example assumes that in database tables only have additional "s" in their name, so if in Java you have class SomeObject and corresponding table is some_objects you might want to do some more Java-style names to SQL-style names conversion then type.getName() + "s" . 此示例假定在数据库表中名称中仅包含附加的“ s”,因此,如果在Java中具有类SomeObject而对应的表是some_objects ,则可能需要将其他Java样式名称转换为SQL样式名称,然后type.getName() + "s" 。
Anyway - this should return you a list of elements casted to correct type, when you call getResult(SomeObject.class); 无论如何-当您调用getResult(SomeObject.class);时,这应该返回转换为正确类型的元素列表getResult(SomeObject.class);
解决方案2
1 2019-07-31 12:21:41
In general if you need a SQL query with variable table name you're doing something wrong. 通常,如果您需要一个带有可变表名的SQL查询,那么您在做错什么。
So it would be interesting what kind of program you are writing. 因此,您正在编写哪种程序会很有趣。
I can only think of a SQL database viewer or a database dumper which would need variable table names. 我只能想到需要可变表名的SQL数据库查看器或数据库转储程序。
Also your method seems vulnerable to a SQL injection (unless you checked the table name before calling the method). 同样,您的方法似乎容易受到SQL注入的影响(除非您在调用方法之前检查了表名)。
I am personally only using prepared queries when passing any variable to a SQL query. 当将任何变量传递给SQL查询时,我个人仅使用准备好的查询。 Your query as prepared statement would look like "SELECT * FROM ?". 作为准备语句的查询看起来像“ SELECT * FROM?”。 You can try if it is supported by your database. 您可以尝试是否数据库支持它。 But it should not be because such a kind of query is only needed in very rare cases. 但这不是因为仅在极少数情况下才需要这种查询。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.