I wrote two simple functions to get the value of my date in MySQL table. Both start date and end date columns are both Date data type. So, in my these two function that goes something like this:
public Date get_startdate(long nodeid,String ts) {
try {
String sql="Select STARTDT FROM urllink WHERE URL='f0="+nodeid+"&ts="+ts + "'";
if (em == null) {
throw new Exception("could not found URL object.");
}
return (Date) em.createNativeQuery(sql).getSingleResult();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public Date get_enddate(long nodeid,String ts) {
try {
String sql="Select ENDDT FROM urllink WHERE URL='f0="+nodeid+"&ts="+ts + "'";
if (em == null) {
throw new Exception("could not found URL object.");
}
return (Date) em.createNativeQuery(sql).getSingleResult();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
Now that I call these functions in my main page like these, I want to check the date conditions that if the URL is between these two dates,then it should be valid and do something. I highlight what I mean below:
Date file_getstartdate=fileFacade1.get_startdate(fileID,hash);
Date file_getenddate=fileFacade1.get_enddate(fileID,hash);
String currentDate = CoreUtil.parseDate(new Date());
if( file_getstartdate<= currentDate<= file_getendDate){
//URL is valid, do something
}else {
//do nothing
}
My date stored in my table is in the format YYYY-MM-DD and the problem I am facing is in the if statement above to make the comparison.I can't use those operators to do the checking. Is there a way to achieve what I desire?
Don't use String concatenation to construct SQL queries
This is vulnerable to SQL injection, and is really dangerous:
String sql="Select STARTDT FROM urllink WHERE URL='f0="+nodeid+"&ts="+ts + "'";
...
return (Date) em.createNativeQuery(sql).getSingleResult();
Assuming em refers to an EntityManager object then you can build a Criteria based query, or if you really need to stick with native SQL then you should use a PreparedStatement instead.
For your comparison question, you have three issues:
String and Date).<=).a <= b <= c isn't a valid Java statement. It needs to be a <= b && b <= c). Here is a way to compare using the Date class (note that since Java 8 LocalDate is a much better class to use if you have the option).
Date fileStartDate = fileFacade1.get_startdate(fileID, hash);
Date fileEndDate = fileFacade1.get_enddate(fileID, hash);
Date currentDate = new Date();
if (fileStartDate.before(currentDate) && fileEndDate.after(currentDate) {
...
In response to your comment
Okay but does using preparedStatement helps with this SQL inejction. Does entity manager prevent the injection? I was told not to use preparedstatement,are there any other alternatives?
If someone told you to make a native query using string concatenation (the +nodeid+ and +ts + parts of your code) instead of using a PreparedStatement then they are wrong. An EntityManager will not protect you from injection in the code above, but a PreparedStatement, along with changing how your query is constructed, would.
A PreparedStatement would look something like
String url = "f0=" + nodeid + "&ts=" + ts;
PreparedStatement preparedStatement = connection.prepareStatement("Select STARTDT FROM urllink WHERE URL= ?");
preparedStatement.setString(1, url);
ResultSet resultSet = preparedStatement.executeQuery();
If you've been told to use an EntityManager instead of writing native SQL then that's actually good advice. You'll need to construct your query using the Criteria abstraction. How to do that is probably a separate question.