diff --git a/.gitignore b/.gitignore index 9f3784d3..14ce53ca 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ .* **/dist/* **/test-reports/**/*.html +*.iml diff --git a/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/dao/setfinder/QueryExecutorHelperDao.java b/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/dao/setfinder/QueryExecutorHelperDao.java index af13e70d..93b20eae 100755 --- a/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/dao/setfinder/QueryExecutorHelperDao.java +++ b/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/dao/setfinder/QueryExecutorHelperDao.java @@ -216,31 +216,31 @@ public void executeQuery( clearTempStmt.close(); String createSql = "CREATE TABLE " + TEMP_TABLE + " ( " - + " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), " + + " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), " + " PANEL_COUNT int, " + " fact_count int, " + " fact_panels int " + ")"; if (dsLookup.getServerType().equalsIgnoreCase( DAOFactoryHelper.POSTGRESQL)) createSql = "CREATE TEMP TABLE " + TEMP_TABLE + " ( " - + " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), " + + " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), " + " PANEL_COUNT int, " + " fact_count int, " + " fact_panels int " + ")"; stmt.executeUpdate(createSql); createSql = " CREATE TABLE " + TEMP_DX_TABLE + " ( " - + " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), temporal_start_date datetime, temporal_end_date DATETIME ) "; + + " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), temporal_start_date datetime, temporal_end_date DATETIME ) "; if (dsLookup.getServerType().equalsIgnoreCase( DAOFactoryHelper.POSTGRESQL)) createSql = " CREATE TEMP TABLE " + TEMP_DX_TABLE + " ( " - + " ENCOUNTER_NUM int, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) "; + + " ENCOUNTER_NUM bigint, " + " PATIENT_NUM int, INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) "; stmt.executeUpdate(createSql); createSql = " CREATE TABLE " + TEMP_MASTER_TABLE + " ( " - + " ENCOUNTER_NUM int, PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date DATETIME, temporal_end_date DATETIME ) "; + + " ENCOUNTER_NUM bigint, PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE DATETIME, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date DATETIME, temporal_end_date DATETIME ) "; if (dsLookup.getServerType().equalsIgnoreCase( DAOFactoryHelper.POSTGRESQL)) createSql = " CREATE TEMP TABLE " + TEMP_MASTER_TABLE + " ( " - + " ENCOUNTER_NUM int, PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) "; + + " ENCOUNTER_NUM bigint, PATIENT_NUM int , INSTANCE_NUM int, CONCEPT_CD varchar(50), START_DATE TIMESTAMP, PROVIDER_ID varchar(50), MASTER_ID varchar(50), LEVEL_NO int, temporal_start_date TIMESTAMP, temporal_end_date TIMESTAMP ) "; stmt.executeUpdate(createSql); if (dsLookup.getServerType().equalsIgnoreCase( diff --git a/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/util/SqlClauseUtil.java b/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/util/SqlClauseUtil.java index a73cfd65..3dfa5330 100755 --- a/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/util/SqlClauseUtil.java +++ b/edu.harvard.i2b2.crc/src/server/edu/harvard/i2b2/crc/util/SqlClauseUtil.java @@ -18,8 +18,8 @@ /** * Class to build sql clause from the input, to catch sql injection attack. - * - * + * + * */ public class SqlClauseUtil { protected final static Log log = LogFactory.getLog(SqlClauseUtil.class); @@ -28,7 +28,7 @@ public class SqlClauseUtil { /** * Rebuild the sql IN clause from the input value constrain - * + * * @param theValueCons * @param encloseSingleQuote * @return @@ -76,7 +76,7 @@ public static String buildINClause(String theValueCons, /** * Rebuild the sql BETWEEN clause from the input value constrain - * + * * @param betweenConstraint * @return * @throws I2B2Exception @@ -100,59 +100,65 @@ public static String buildBetweenClause(String betweenConstraint) return firstElement.replaceAll("'", "''") + " and " + thirdElement.replaceAll("'", "''"); } - - + + public static boolean isEnclosedinSingleQuote(String value) { if (value.startsWith("'") && value.endsWith("'")) { return true; - } else { + } else { return false; } } public static boolean isEnclosedinBraces(String value) { if (value.startsWith("(") && value.endsWith(")")) { return true; - } else { + } else { return false; } } - - public static String handleMetaDataTextValue(String operator,String value) { + + public static String handleMetaDataTextValue(String operator,String value) { String formattedValue = value; if ((operator != null) && (operator.toUpperCase().equals("LIKE"))) { boolean needPercentFlag = false, needSlashFlag = false; //if not enclosed in single quote - if (!SqlClauseUtil.isEnclosedinSingleQuote(formattedValue)) { + if (!SqlClauseUtil.isEnclosedinSingleQuote(formattedValue)) { + log.debug("formattedValue before change: " + formattedValue); //escape the single quote formattedValue = JDBCUtil.escapeSingleQuote(formattedValue); - + //For some reason the single quote escape doesn't work as expected, + //hence we do another replacement here instead of in escapeSingleQuote to avoid regression issue. + //in case there was an escaped single quote like '' being replaced into '''', we change it back. + formattedValue = formattedValue.replace("'", "''").replace("''''", "''"); + log.debug("formattedValue after change: " + formattedValue); + // if missing \ if (formattedValue.lastIndexOf('%') != formattedValue.length() - 1) { - needPercentFlag = true; - } - + needPercentFlag = true; + } + //else if missing % - if (needPercentFlag) { + if (needPercentFlag) { if (formattedValue.lastIndexOf('\\') != formattedValue.length() - 1) { log.debug("Adding \\ at the end of the Concept path "); needSlashFlag = true; - } - } else { + } + } else { if (formattedValue.lastIndexOf('\\') != formattedValue.length() - 2) { log.debug("Adding \\ at the end of the Concept path "); needSlashFlag = true; } } - + if (needSlashFlag) { if (needPercentFlag) { formattedValue=formattedValue+"\\%"; } else { formattedValue = formattedValue + "\\"; } - - } else if (needPercentFlag) { + + } else if (needPercentFlag) { formattedValue = formattedValue + "%"; } formattedValue = "'" + formattedValue + "'"; @@ -162,61 +168,61 @@ public static String handleMetaDataTextValue(String operator,String value) { formattedValue = value; formattedValue = SqlClauseUtil.buildINClause(formattedValue, true); formattedValue = "(" + formattedValue + ")"; - - } else { + + } else { boolean needSingleQuoteFlag = false; - + formattedValue = value; //escape the single quote formattedValue = JDBCUtil.escapeSingleQuote(formattedValue); - - + + // if not enclosed in '', add it - if (!SqlClauseUtil.isEnclosedinSingleQuote(value)) { + if (!SqlClauseUtil.isEnclosedinSingleQuote(value)) { needSingleQuoteFlag = true; } - if (needSingleQuoteFlag) { + if (needSingleQuoteFlag) { formattedValue = "'" + formattedValue + "'"; } } return formattedValue; } - public static String handleMetaDataNumericValue(String operator, String value) { + public static String handleMetaDataNumericValue(String operator, String value) { String formattedValue = ""; boolean needBracesFlag = false; //if operator is IN, then add open and close braces if it is missing - if (operator.toUpperCase().equals("IN")) { - if (!SqlClauseUtil.isEnclosedinBraces(value)) { + if (operator.toUpperCase().equals("IN")) { + if (!SqlClauseUtil.isEnclosedinBraces(value)) { needBracesFlag = true; } } - if (needBracesFlag) { + if (needBracesFlag) { formattedValue = "(" + value + ")"; - } else { + } else { formattedValue = value; } return formattedValue; } - - public static String handleMetaDataDateValue(String operator, String value) { + + public static String handleMetaDataDateValue(String operator, String value) { String formattedValue = ""; boolean needBracesFlag = false; //if operator is IN, then add open and close braces if it is missing - if (operator.toUpperCase().equals("IN")) { - if (!SqlClauseUtil.isEnclosedinBraces(value)) { + if (operator.toUpperCase().equals("IN")) { + if (!SqlClauseUtil.isEnclosedinBraces(value)) { needBracesFlag = true; } } - if (needBracesFlag) { + if (needBracesFlag) { formattedValue = "(" + value + ")"; - } else { + } else { formattedValue = value; } return formattedValue; } - - - + + + }