Fixed single quote escape and bigint issues

Signed-off-by: yxia2 <yxia2@ufl.edu>

.gitignore

@@ -3,3 +3,4 @@
 .*
 **/dist/*
 **/test-reports/**/*.html
+*.iml

edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/dao/setfinder/QueryExecutorHelperDao.java

@@ -216,31 +216,31 @@ public void executeQuery(
 				clearTempStmt.close();
 
 				String createSql = "CREATE  TABLE " + TEMP_TABLE + " ( "
-						+ " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), "
+						+ " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), "
 						+ " PANEL_COUNT int, " + " fact_count int, "
 						+ " fact_panels int " + ")";
 
 				if (dsLookup.getServerType().equalsIgnoreCase(
 						DAOFactoryHelper.POSTGRESQL))
 					createSql =  "CREATE TEMP  TABLE " + TEMP_TABLE + " ( "
-							+ " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), "
+							+ " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), "
 							+ " PANEL_COUNT int, " + " fact_count int, "
 							+ " fact_panels int " + ")";
 				stmt.executeUpdate(createSql);
 				createSql = " CREATE  TABLE " + TEMP_DX_TABLE + "  ( "
-						+ " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), temporal_start_date datetime, temporal_end_date DATETIME ) ";
+						+ " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), temporal_start_date datetime, temporal_end_date DATETIME ) ";
 				if (dsLookup.getServerType().equalsIgnoreCase(
 						DAOFactoryHelper.POSTGRESQL))
 					createSql = " CREATE TEMP TABLE " + TEMP_DX_TABLE + "  ( "
-							+ " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) ";
+							+ " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) ";
 
 				stmt.executeUpdate(createSql);
 				createSql = " CREATE  TABLE " + TEMP_MASTER_TABLE + "  ( "
-						+ " ENCOUNTER_NUM int,  PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date DATETIME, temporal_end_date DATETIME ) ";
+						+ " ENCOUNTER_NUM bigint,  PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date DATETIME, temporal_end_date DATETIME ) ";
 				if (dsLookup.getServerType().equalsIgnoreCase(
 						DAOFactoryHelper.POSTGRESQL))
 					createSql = " CREATE TEMP TABLE " + TEMP_MASTER_TABLE + "  ( "
-							+ " ENCOUNTER_NUM int,  PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) ";
+							+ " ENCOUNTER_NUM bigint,  PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) ";
 				stmt.executeUpdate(createSql);
 
 				if (dsLookup.getServerType().equalsIgnoreCase(

edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/util/SqlClauseUtil.java

@@ -18,8 +18,8 @@
 
 /**
  * Class to build sql clause from the input, to catch sql injection attack.
- * 
- * 
+ *
+ *
  */
 public class SqlClauseUtil {
 	protected final static Log log = LogFactory.getLog(SqlClauseUtil.class);
@@ -28,7 +28,7 @@ public class SqlClauseUtil {
 
 	/**
 	 * Rebuild the sql IN clause from the input value constrain
-	 * 
+	 *
 	 * @param theValueCons
 	 * @param encloseSingleQuote
 	 * @return
@@ -76,7 +76,7 @@ public static String buildINClause(String theValueCons,
 
 	/**
 	 * Rebuild the sql BETWEEN clause from the input value constrain
-	 * 
+	 *
 	 * @param betweenConstraint
 	 * @return
 	 * @throws I2B2Exception
@@ -100,59 +100,65 @@ public static String buildBetweenClause(String betweenConstraint)
 		return firstElement.replaceAll("'", "''") + " and "
 				+ thirdElement.replaceAll("'", "''");
 	}
-	
-	
+
+
 	public static boolean isEnclosedinSingleQuote(String value) {
 		if (value.startsWith("'") && value.endsWith("'")) {
 			return true;
-		} else { 
+		} else {
 			return false;
 		}
 	}
 	public static boolean isEnclosedinBraces(String value) {
 		if (value.startsWith("(") && value.endsWith(")")) {
 			return true;
-		} else { 
+		} else {
 			return false;
 		}
 	}
-	
-	public static String handleMetaDataTextValue(String operator,String value) { 
+
+	public static String handleMetaDataTextValue(String operator,String value) {
 		String  formattedValue = value;
 		if ((operator != null)
 				&& (operator.toUpperCase().equals("LIKE"))) {
 			boolean needPercentFlag = false, needSlashFlag = false;
 			//if not enclosed in single quote
-			if (!SqlClauseUtil.isEnclosedinSingleQuote(formattedValue)) { 
+			if (!SqlClauseUtil.isEnclosedinSingleQuote(formattedValue)) {
+				log.debug("formattedValue before change: " + formattedValue);
 				//escape the single quote
 				formattedValue = JDBCUtil.escapeSingleQuote(formattedValue);
-
+				//For some reason the single quote escape doesn't work as expected,
+				//hence we do another replacement here instead of in escapeSingleQuote to avoid regression issue.
+				//in case there was an escaped single quote like '' being replaced into '''', we change it back.
+				formattedValue = formattedValue.replace("'", "''").replace("''''", "''");
+				log.debug("formattedValue after change: " + formattedValue);
+
 				// if missing \
 				if (formattedValue.lastIndexOf('%') != formattedValue.length() - 1) {
-					needPercentFlag = true; 
-				} 
-				
+					needPercentFlag = true;
+				}
+
 				//else if missing %
-				if (needPercentFlag) { 
+				if (needPercentFlag) {
 					if (formattedValue.lastIndexOf('\\') != formattedValue.length() - 1) {
 						log.debug("Adding \\ at the end of the Concept path ");
 						needSlashFlag = true;
-					}	
-				} else { 
+					}
+				} else {
 					if (formattedValue.lastIndexOf('\\') != formattedValue.length() - 2) {
 						log.debug("Adding \\ at the end of the Concept path ");
 						needSlashFlag = true;
 					}
 				}
-				
+
 				if (needSlashFlag) {
 					if (needPercentFlag) {
 						formattedValue=formattedValue+"\\%";
 					} else {
 						formattedValue = formattedValue + "\\";
 					}
-				
-				} else if (needPercentFlag) { 
+
+				} else if (needPercentFlag) {
 					formattedValue = formattedValue + "%";
 				}
 				formattedValue = "'" + formattedValue + "'";
@@ -162,61 +168,61 @@ public static String handleMetaDataTextValue(String operator,String value) {
 			formattedValue = value;
 			formattedValue = SqlClauseUtil.buildINClause(formattedValue, true);
 			formattedValue = "(" + formattedValue  + ")";
-			
-		} else { 
+
+		} else {
 			boolean needSingleQuoteFlag = false;
-			
+
 			formattedValue = value;
 			//escape the single quote
 			formattedValue = JDBCUtil.escapeSingleQuote(formattedValue);
-			
-			
+
+
 			// if not enclosed in '', add it
-			if (!SqlClauseUtil.isEnclosedinSingleQuote(value)) { 
+			if (!SqlClauseUtil.isEnclosedinSingleQuote(value)) {
 					needSingleQuoteFlag = true;
 			}
-			if (needSingleQuoteFlag) { 
+			if (needSingleQuoteFlag) {
 				formattedValue = "'" + formattedValue + "'";
 			}
 		}
 		return formattedValue;
 	}
 
-	public static String handleMetaDataNumericValue(String operator, String value) { 
+	public static String handleMetaDataNumericValue(String operator, String value) {
 		String formattedValue = "";
 		boolean needBracesFlag = false;
 		//if operator is IN, then add open and close braces if it is missing
-		if (operator.toUpperCase().equals("IN")) { 
-			if (!SqlClauseUtil.isEnclosedinBraces(value)) { 
+		if (operator.toUpperCase().equals("IN")) {
+			if (!SqlClauseUtil.isEnclosedinBraces(value)) {
 				needBracesFlag = true;
 			}
 		}
-		if (needBracesFlag) { 
+		if (needBracesFlag) {
 			formattedValue = "(" + value + ")";
-		} else { 
+		} else {
 			formattedValue = value;
 		}
 		return formattedValue;
 	}
-	
-	public static String handleMetaDataDateValue(String operator, String value) { 
+
+	public static String handleMetaDataDateValue(String operator, String value) {
 		String formattedValue = "";
 		boolean needBracesFlag = false;
 		//if operator is IN, then add open and close braces if it is missing
-		if (operator.toUpperCase().equals("IN")) { 
-			if (!SqlClauseUtil.isEnclosedinBraces(value)) { 
+		if (operator.toUpperCase().equals("IN")) {
+			if (!SqlClauseUtil.isEnclosedinBraces(value)) {
 				needBracesFlag = true;
 			}
 		}
-		if (needBracesFlag) { 
+		if (needBracesFlag) {
 			formattedValue = "(" + value + ")";
-		} else { 
+		} else {
 			formattedValue = value;
 		}
 		return formattedValue;
 	}
-	
-	
-	
+
+
+
 
 }