Cool things about Hibernate & JSP

Generally people have to do a lot of work to Sanitize the input from the user ( excluding *URL* Sanitize  ). Here is a something that you can do with minimum effort if you are using hibernate & JSP and sanitize everything ( Courtesy Ben Wolfe ) :

1. You *don’t* have to do anything for prevention of SQL injection, its already done by hibernate by the use of the java’s PreparedStatements.
2. XSS can be prevented by displaying data using <c:out value=”${myobject.myvar}”/> instead of just ${myobject.myvar} in your jsp.

Hibernate Mapping file #tutorial

In this small tutorial I am going to show you how hibernate mapping file is can be created when a SQL relation is given to you.

Let us say you have the following :

CREATE TABLE `feedback_feedback` (
`feedback_id` int(11) NOT NULL AUTO_INCREMENT,
`creator` int(11) NOT NULL,
`subject` varchar(255) COLLATE utf8_bin NOT NULL,
`content` varchar(5000) COLLATE utf8_bin NOT NULL,
`severity` varchar(25) COLLATE utf8_bin NOT NULL,
`comment` varchar(5000) COLLATE utf8_bin DEFAULT NULL,
`status` varchar(25) COLLATE utf8_bin DEFAULT NULL,
`date_created` date NOT NULL,
`date_changed` date DEFAULT NULL,
PRIMARY KEY (`feedback_id`)
)

 

and follwoing POJO :

package org.openmrs.module.feedback;

import java.util.Date;

/*
Pojo file for feedback_feedback relation in Feedback Module
*/

public class FeedbackFeedback  implements java.io.Serializable {

private Integer feedbackId;
private int creator;
private String subject;
private String content;
private String severity;
private String comment;
private String status;
private Date dateCreated;
private Date dateChanged;

/*
Default no arguement constructor
*/

public FeedbackFeedback() {
}

/*
Constructor with all arguments
*/

public FeedbackFeedback(int creator, String subject, String content, String severity, Date dateCreated) {
this.creator = creator;
this.subject = subject;
this.content = content;
this.severity = severity;
this.dateCreated = dateCreated;
}

/*
Default constructor with arguments that can’t be Null
*/

public FeedbackFeedback(int creator, String subject, String content, String severity, String comment, String status, Date dateCreated, Date dateChanged) {
this.creator = creator;
this.subject = subject;
this.content = content;
this.severity = severity;
this.comment = comment;
this.status = status;
this.dateCreated = dateCreated;
this.dateChanged = dateChanged;
}

public Integer getFeedbackId() {
return this.feedbackId;
}

public void setFeedbackId(Integer feedbackId) {
this.feedbackId = feedbackId;
}
public int getCreator() {
return this.creator;
}

public void setCreator(int creator) {
this.creator = creator;
}
public String getSubject() {
return this.subject;
}

public void setSubject(String subject) {
this.subject = subject;
}
public String getContent() {
return this.content;
}

public void setContent(String content) {
this.content = content;
}
public String getSeverity() {
return this.severity;
}

public void setSeverity(String severity) {
this.severity = severity;
}
public String getComment() {
return this.comment;
}

public void setComment(String comment) {
this.comment = comment;
}
public String getStatus() {
return this.status;
}

public void setStatus(String status) {
this.status = status;
}
public Date getDateCreated() {
return this.dateCreated;
}

public void setDateCreated(Date dateCreated) {
this.dateCreated = dateCreated;
}
public Date getDateChanged() {
return this.dateChanged;
}

public void setDateChanged(Date dateChanged) {
this.dateChanged = dateChanged;
}
}

Now you want to create a Hibernate Mapping file for the above given relation then the hibernate mapping file will look somehow like this (explanation is given at the end for important elements) :

<?xml version=”1.0″?>
<!DOCTYPE hibernate-mapping PUBLIC “-//Hibernate/Hibernate Mapping DTD 3.0//EN” “http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd“>
<hibernate-mapping package=”org.openmrs.module.feedback” >
<class name=”org.openmrs.module.feedback.FeedbackFeedback” table=”feedback_feedback” >
<id name=”feedbackId” type=”java.lang.Integer”>
<column name=”feedback_id” />
<generator />
</id>
<property name=”creator” type=”int”>
<column name=”creator” not-null=”true” />
</property>
<property name=”subject” type=”string”>
<column name=”subject” not-null=”true” />
</property>
<property name=”content” type=”string”>
<column name=”content” length=”5000″ not-null=”true” />
</property>
<property name=”severity” type=”string”>
<column name=”severity” length=”25″ not-null=”true” />
</property>
<property name=”comment” type=”string”>
<column name=”comment” length=”5000″ />
</property>
<property name=”status” type=”string”>
<column name=”status” length=”25″ />
</property>
<property name=”dateCreated” type=”date”>
<column name=”date_created” length=”10″ not-null=”true” />
</property>
<property name=”dateChanged” type=”date”>
<column name=”date_changed” length=”10″ />
</property>
</class>
</hibernate-mapping>

Comments :

1.      <class name=”org.openmrs.module.feedback.FeedbackFeedback” table=”feedback_feedback” >
This name element tells to which of the POJO class your relation is mapped , and table elements tells which relation you are currently referring to.

2.      <id name=”feedbackId” type=”java.lang.Integer”>
This tell which object in the class you are referring to and its data type. id tag tell it is a primary key.

3.       <column name=”feedback_id” />
This tell to which attribute in relation your class object will be mapped

4.       <generator />
This tell generator element tells how that element value will be generated.

5.       <property name=”severity” type=”string”>
This tell which object in the class you are referring to and its data type.This is just a atribute in table not a primary key.

For more detailed view see the official page : http://docs.jboss.org/hibernate/core/3.3/reference/en/html/mapping.html