View source | Discuss this page | Page history | Printable version   
Toolbox
Main Page
Upload file
What links here
Recent changes
Help

PDF Books
Add page
Show collection (0 pages)
Collections help

Search

HQL Coding Conventions

Contents

Overview

This document gives a description of the HQL coding standards and coding principles used in the development of Openbravo.

There is a tool that checks for possible problems of HQL/SQL injection that only works with normal Strings. In OB is mandatory to use always normal Strings, no StringBuilders/StringBuffers.

Formatting

Formatting HQL is important for readability. It's important to set formatter off and on for every formatted HQL string query.

No formatter example(avoid):

      final String qryStr = "select t.table.id, wa.editableField"
          + " from ADTab t" + "  left join t.window w"
          + "  left join w.aDWindowAccessList wa" + " where wa.role.id= :roleId";
      final Query<Object[]> qry = SessionHandler.getInstance()
          .createQuery(qryStr, Object[].class)
          .setParameter("roleId", getRoleId());
      final List<Object[]> tabData = qry.list();

Formatted example:

      // @formatter:off
      final String qryStr = "select t.table.id, wa.editableField"
          + " from ADTab t"
          + "  left join t.window w"
          + "  left join w.aDWindowAccessList wa"
          + " where wa.role.id= :roleId";
      // @formatter:on
      final Query<Object[]> qry = SessionHandler.getInstance()
          .createQuery(qryStr, Object[].class)
          .setParameter("roleId", getRoleId());
      final List<Object[]> tabData = qry.list();

SQL Injection (Report if found any)

To avoid SQL injections it is recommended to always use bind parameters. It is totally forbidden to concatenate parameters in SQL.

Bad example:

 
   private static boolean hasProcessingColumn(String strTableId) {
     ....
     String hql = " select count(AD_Column_ID) from ADColumn where table.id = '" + strTableId + "' "
     + " and lower(dBColumnName) = 'processing'";
     Query<Long> query = OBDal.getInstance().getSession().createQuery(hql, Long.class);
     ....
   }

Good example:

 
   private static boolean hasProcessingColumn(String strTableId) {
     ....
  String hql = " select count(AD_Column_ID)"
      + " from ADColumn"
      + " where table.id = :tableId "
      + " and lower(dBColumnName) = 'processing'";
  Query<Long> query = OBDal.getInstance().getSession().createQuery(hql, Long.class);
  query.setParameter("tableId", strTableId);
     ....
   }

IMPORTANT: Those are CRITICAL to NEVER ignore. It does NOT matter if the value looks safe. Use parameter always.

Generated constants

Avoid the use of generated constants. When in need of generated constants, use the value directly in HQL query.

Bad example:

    final Query<String> qry = SessionHandler.getInstance()
        .createQuery("select o.id from " + Organization.class.getName() + " o where " + "o."
            + Organization.PROPERTY_CLIENT + "=:client", String.class);

Good example:

    /* Removed Organization.class.getName() and PROPERTY_CLIENT constant */ 
    // @formatter:off
    final String orgQryStr = "select o.id"
        + " from Organization o"
        + " where o.client=:client";
    // @formatter:on

Other

Retrieved from "http://wiki.openbravo.com/wiki/HQL_Coding_Conventions"

This page has been accessed 147 times. This page was last modified on 30 July 2019, at 14:02. Content is available under Creative Commons Attribution-ShareAlike 2.5 Spain License.