Question

public Result setModelMasterParams(){
        try{
            long tenantId = request().getHeader("tenant_id")==null
                    || request().getHeader("tenant_id").equalsIgnoreCase("")
                    || request().getHeader("tenant_id").equalsIgnoreCase("null")
                    || request().getHeader("tenant_id").equalsIgnoreCase("undefined")
                    ?0l:Long.parseLong(request().getHeader("tenant_id"));
            long updateAiModelMasterId = request().getHeader("ai_model_master_id")==null
                    || request().getHeader("ai_model_master_id").equalsIgnoreCase("")
                    || request().getHeader("ai_model_master_id").equalsIgnoreCase("null")
                    || request().getHeader("ai_model_master_id").equalsIgnoreCase("undefined")
                    ?0l:Long.parseLong(request().getHeader("ai_model_master_id"));
            JsonNode body = request().body().asJson();
            long aiModelMasterId =0l;
            if ( body!=null) {

                long modelMasterParamsId = body.get("ai_model_master_parameters_id") == null
                        || body.get("ai_model_master_parameters_id").asText().equalsIgnoreCase("")
                        || body.get("ai_model_master_parameters_id").asText().equalsIgnoreCase("null")
                        || body.get("ai_model_master_parameters_id").asText().equalsIgnoreCase("undefined")
                        ? 0l : Long.parseLong(body.get("ai_model_master_parameters_id").asText());

                String parameterCategory = body.get("parameter_category")==null?"":body.get("parameter_category").asText();
                String parameterName = body.get("parameter_name")==null?"":body.get("parameter_name").asText();
                String parameterDataType = body.get("parameter_data_type")==null?"":body.get("parameter_data_type").asText();
                String parameterValue = body.get("parameter_value")==null?"":body.get("parameter_value").asText();
                String description = body.get("description")==null?"":body.get("description").asText();

                if (updateAiModelMasterId==0){
                    String sql= "INSERT INTO ai_model_master_parameters " +
                            "(ai_model_master_parameters_id, parameter_category, parameter_name, parameter_data_type, parameter_value, creation_date, created_by, last_updated_date,  last_updated_by, description) " +
                            "VALUES " +
                            "("+modelMasterParamsId+", "+parameterCategory+", "+parameterName+", "+parameterDataType+", "+parameterValue+", current_timestamp, 'admin', current_timestamp, 'admin', "+description+");";
                    System.out.println(sql);
                    Ebean.createSqlUpdate(sql).execute();

                    SqlRow model = Ebean.createSqlQuery("select ai_model_master_id as id from ai_model_master_parameters " +
                            " where parameter_name="+parameterName+" and " +
                            " parameter_category="+parameterCategory+" and parameter_data_type="+parameterDataType+" and " +
                            " parameter_value="+parameterValue+" and " +
                            " description="+description+" and ai_model_master_parameters_id="+modelMasterParamsId+" limit 1;")
                            .setParameter("id", 1)
                            .findUnique();

                    aiModelMasterId = model.get("id")==null?0: (long) model.get("id");

                }else{
                String sql= "UPDATE ai_model_master_parameters \n" +
                        " SET ai_model_master_parameters_id = "+modelMasterParamsId+",  parameter_category = "+parameterCategory+", \n" +
                        "parameter_name = "+parameterName+", last_update_date = current_timestamp, last_updated_by = 'admin', created_by = 'admin', creation_date = current_timestamp , \n" +
                        "parameter_data_type = "+parameterDataType+", parameter_value = "+parameterValue+", description = "+description+" \n" +
                        " WHERE ai_model_master_id = "+updateAiModelMasterId+";";
                    Ebean.createSqlUpdate(sql).execute();

                    aiModelMasterId=updateAiModelMasterId;

                }
            }
            return ok(aiModelMasterId+"");

        }catch (Exception e){
            e.printStackTrace();
            return badRequest("Exception: "+e.getMessage());
        }
    }

Comments

Hi, @Sriram,

Can you post the actual SQL statement that gave this error? 

---

Hey, @sriram,

do you have Exception Trace from console or logs ??

---

Hello, @sriram,

Search for SQL injection in google. It's a flaw that allows a hacker to inject SQL statements into your API. You can prevent it by avoiding string concatenation and using parameterized statement