Class StatementAnalyzer

java.lang.Object
org.kawanfw.sql.api.server.StatementAnalyzer

public class StatementAnalyzer
extends Object
Class that allows the analysis of the string content of a SQL statement, mainly for security reasons.

Analysis methods include:
  • Says if a statement contains SQL comments.
  • Says if a statement contains semicolons (statement separator) that are not trailing.
  • Extract the parsed statement name:  DELETE / INSERT / SELECT / UPDATE, CREATE / ALTER / DROP...
  • Says if the parsed statement is a DML (Data Management Language) statement.
  • Counts the number of parameters.
  • Methods to get the first, the last or any parameter.
  • Says if the parsed Statement is a DDL (Data Definition Language) statement.
  • Says if the parsed Statement is a DCL (Data Control Language) statement.
  • Says if the parsed Statement is a TCL (Transaction Control Language) statement/
  • Extract the table name in use in the statement.
Since:
1.0
Author:
Nicolas de Pomereu
  • Constructor Summary

    Constructors
    Constructor Description
    StatementAnalyzer​(String sql, List<Object> parameterValues)
    Constructor.
  • Method Summary

    Modifier and Type Method Description
    Object getFirstParameter()
    Returns the value in string of the first parameter of the parameters list.
    Object getLastParameter()
    Returns the value in string of the last parameter of the parameters list.
    Object getParameter​(int index)
    Returns the value as object of the parameter index in the list.
    int getParameterCount()
    Returns the number of parameters in the statement.
    net.sf.jsqlparser.statement.Statement getParsedStatement()
    Returns the statement parsed with JSQLParser.
    SQLException getParseException()
    Returns the parse Exception if any.
    String getSql()
    Returns the string content of the SQL statement.
    String getStatementName()
    Extracts the statement name from a SQL order.
    List<String> getTables()
    Returns the list of tables in the statement.
    boolean isDcl()
    Says if the statement is a DCL (Data Control Language) parsedStatement
    boolean isDdl()
    Says if the Statement is a DDL (Data Definition Language) parsedStatement.
    boolean isDelete()
    Says if the statement is a DELETE.
    boolean isDml()
    Says if the statement is a DML (Data Manipulation Language) parsedStatement.
    boolean isInsert()
    Says if the statement is an INSERT.
    boolean isSelect()
    Says if the statement is a SELECT.
    boolean isStatementTypeNotParsed()
    Says if the statement type (DDL, DML, DCL, TCL) could not be parsed
    boolean isTcl()
    Says if the statement is a TCL (Transaction Control Language) parsedStatement.
    boolean isUpdate()
    Says if the statement is an UPDATE.
    boolean isWithComments()
    Says if a statement contains SQL comments.
    boolean isWithSemicolons()
    Says if a statement contains semicolons (';') that are not trailing.

    Methods inherited from class java.lang.Object

    equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • StatementAnalyzer

      public StatementAnalyzer​(String sql, List<Object> parameterValues) throws SQLException
      Constructor.
      Parameters:
      sql - the string content of the SQL parsedStatement.
      parameterValues - the parameter values of a prepared parsedStatement in the natural order, empty list for a (non prepared) parsedStatement
      Throws:
      SQLException - if the parsed Statement can not be parsed
  • Method Details

    • getParsedStatement

      public net.sf.jsqlparser.statement.Statement getParsedStatement()
      Returns the statement parsed with JSQLParser.
      Returns:
      statement parsed with JSQLParser
    • isWithSemicolons

      public boolean isWithSemicolons()
      Says if a statement contains semicolons (';') that are not trailing. Use this to prevent attacks when a parsedStatement is multi-statements.
      Returns:
      true if the SQL statement contains semicolons that are not trailing.
    • isWithComments

      public boolean isWithComments()
      Says if a statement contains SQL comments.
      Returns:
      true if the SQL parsedStatement contains SQL comments
    • getStatementName

      public String getStatementName()
      Extracts the statement name from a SQL order.
      Returns:
      the statement name: DELETE, INSERT, SELECT, UPDATE, etc...
    • isDelete

      public boolean isDelete()
      Says if the statement is a DELETE.
      Returns:
      true if the parsed Statement is a DELETE
    • isInsert

      public boolean isInsert()
      Says if the statement is an INSERT.
      Returns:
      true if the parsed Statement is an INSERT
    • isSelect

      public boolean isSelect()
      Says if the statement is a SELECT.
      Returns:
      true if the parsed Statement is a SELECT
    • isUpdate

      public boolean isUpdate()
      Says if the statement is an UPDATE.
      Returns:
      true if the parsed Statement is an UPDATE
    • getParameterCount

      public int getParameterCount()
      Returns the number of parameters in the statement.
      Returns:
      the number of parameters in the statement
    • getLastParameter

      public Object getLastParameter()
      Returns the value in string of the last parameter of the parameters list.
      Returns:
      the value in string of the last parameter of the parameters list
      Throws:
      IndexOutOfBoundsException - if there is no parameter
    • getFirstParameter

      public Object getFirstParameter()
      Returns the value in string of the first parameter of the parameters list.
      Returns:
      the value in string of the first parameter of the parameters list.
      Throws:
      IndexOutOfBoundsException - if there is no parameter
    • getParameter

      public Object getParameter​(int index)
      Returns the value as object of the parameter index in the list.
      Parameters:
      index - index of parameter as in a list: starts at 0.
      Returns:
      the value as object of the parameter index.
      Throws:
      IndexOutOfBoundsException - if the index is out of range ( index &lt; 0 || index &gt;= size())
    • isDml

      public boolean isDml()
      Says if the statement is a DML (Data Manipulation Language) parsedStatement.
      Returns:
      true if the parsed Statement is DML parsedStatement
    • isDcl

      public boolean isDcl()
      Says if the statement is a DCL (Data Control Language) parsedStatement
      Returns:
      true if the parsed Statement is DCL parsedStatement
    • isDdl

      public boolean isDdl()
      Says if the Statement is a DDL (Data Definition Language) parsedStatement.
      Returns:
      true if the parsed Statement is DDL parsedStatement
    • isTcl

      public boolean isTcl()
      Says if the statement is a TCL (Transaction Control Language) parsedStatement.
      Returns:
      true if the parsed Statement is DDL parsedStatement
    • getTables

      public List<String> getTables()
      Returns the list of tables in the statement. Returns an empty list if no tables found.
      Returns:
      the list of tables in the statement.
    • isStatementTypeNotParsed

      public boolean isStatementTypeNotParsed()
      Says if the statement type (DDL, DML, DCL, TCL) could not be parsed
      Returns:
      true if the parsed Statement type could no be parsed.
    • getParseException

      public SQLException getParseException()
      Returns the parse Exception if any.
      Returns:
      the parse Exception. null if none.
    • getSql

      public String getSql()
      Returns the string content of the SQL statement.
      Returns:
      the string content of the SQL statement