Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

java.sql.SQLException: ORA-00907: missing right parenthesis

 
lakshmi gullapudi
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Found vulnerability while scanning the application ..but didn’t find any wrong in query…

Exception in logs:

02 May 2013 23:25:48,843 [SocketListener0-6] ERROR com.xelus.solos.query.Query - Sql Exception thrown when executi
java.sql.SQLException: ORA-00907: missing right parenthesis

at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:114)
at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)
at oracle.jdbc.ttc7.Oall7.receive(Oall7.java:542)
at oracle.jdbc.ttc7.TTC7Protocol.doOall7(TTC7Protocol.java:1311)
at oracle.jdbc.ttc7.TTC7Protocol.parseExecuteDescribe(TTC7Protocol.java:595)
at oracle.jdbc.driver.OracleStatement.doExecuteQuery(OracleStatement.java:1600)
at oracle.jdbc.driver.OracleStatement.doExecute(OracleStatement.java:1758)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1807)
at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:332)
at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:283)
at com.bitmechanic.sql.PooledPreparedStatement.executeQuery(PooledPreparedStatement.java:33)
at com.xelus.solos.query.Query.execute(Unknown Source)
at com.xelus.solos.trans.ProductLinePrompt.validatePdsProductCd(Unknown Source)
at com.xelus.solos.trans.ProductLinePrompt.isValid(Unknown Source)
at com.xelus.solos.trans.Display1BrTrans.getFilter(Unknown Source)
at sun.reflect.GeneratedMethodAccessor288.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.xelus.solos.trans.TransRunner.execute(Unknown Source)
at com.xelus.solos.servlet.TransServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:616)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:428)
at org.mortbay.jetty.servlet.ServletHandler.dispatch(ServletHandler.java:666)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1530)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)
at org.mortbay.http.HttpServer.service(HttpServer.java:909)
at org.mortbay.http.HttpConnection.service(HttpConnection.java:816)
at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)
at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)
at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)
at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)
at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

--------------------------------------------------------------------------------------------------------------------------------------------------------
Code : ProductLinePrompt.java


private boolean validatePdsProductCd(String pdsCd,
StringBuffer validPdsProductCdFilter,
ResourceBundle productLinePromptBundle)
throws SQLException, ConnectionManagerException,
ObjectNotInDbException, QueryException {
boolean returnValue = true;

SpliByPdsProductCodeQuery query = new SpliByPdsProductCodeQuery();

if (pdsCd != null)
{

query.setParam(SpliByPdsProductCodeQuery.PARAM_PDS_PRODUCT_CDS,
"'" + pdsCd.toUpperCase() + "'");



query.execute();

if (query.hasNext()) {
validPdsProductCdFilter.append(pdsCd.toUpperCase() + " ");
}
else {
// if this is a valid code name but has no associated spli's just ignore it
// don't create an error message
if (!SolosCodeName.isStoredByPdsProductCd(pdsCd.toUpperCase()))
returnValue = false;
}

if (!returnValue) {
Object[] args = {pdsCd};
String msg = productLinePromptBundle.getString("ERROR_MSG_044");
_errorMessageList.add(MessageFormat.format(msg, args));
}

query.close();

}

return returnValue;
}

------------------------------------------------------------------------------------------------------------------------------------------------
Query.Execute()

public void execute() throws QueryException {
long start = System.currentTimeMillis();

try {
if (_con == null) {
// get a connection to use
ConnectionManager connectionManager = ConnectionManager.getInstance();
Connection con = connectionManager.getConnection();
con.setAutoCommit(false);

setConnection(con, true);
}


if (logCat.isDebugEnabled()) {
logCat.debug(getSQL());
logParameters();
}

//If there are parameters then run create a preapared statement to run
//otherwise create a regular statement.
if (_params.size() > 0) {
_pstmt = _con.prepareStatement(getSQL()); //as per logs exception is coming here
postParameters();
_rs = _pstmt.executeQuery();
}
else {
_stmt = _con.createStatement();
_rs = _stmt.executeQuery(getSQL());
}

_hasNext = _rs.next();
}
catch (SQLException e) {
logCat.error("Sql Exception thrown when executing query", e);

close();
throw new QueryException("Sql Exception thrown when executing query",getSQL()); }
catch (ConnectionManagerException e) {
logCat.error("Connection Manager Exception thrown when executing query", e);

close();
throw new QueryException("Connection Manager Exception thrown when executing query",getSQL());
}

if (logCat.isDebugEnabled()) {
logCat.debug ( "Excecution Time in milliseconds: " + Long.toString(System.currentTimeMillis() - start));
}

_isValid = true;
}
---------------------------------------------------------------------------------------------------------------------
getSQL()

protected String getSQL() {
String pdsProductCds = (String) getParam(PARAM_PDS_PRODUCT_CDS);
String sql= "SELECT DISTINCT SCNS." + Consts.FIELD_PRODUCT_LINE_CD + " "
+ "FROM " + Consts.TABLE_SOLOS_CODE_NAME_SPLI + " SCNS "
+ "WHERE SCNS." + Consts.FIELD_PDS_PRODUCT_CD + " IN("
+ pdsProductCds + ") ";

return sql;
}

-----------------------------------------------------------------------

whats wrong in above query and can you please help me how to fix this error.

 
Martin Vajsar
Sheriff
Posts: 3752
62
Chrome Netbeans IDE Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch!

The "missing right parenthesis" error usually means there is a syntax error in the query. Most often the SQL parser has encountered an unexpected symbol. I'd suggest to print the actual text of the statement to the console or log, and inspect it. It looks like the values passed to it in the IN clause were not escaped properly.

Of course, this needs to be rewritten to use PreparedStatements, as you already know . Unfortunately, using the IN operator is always clumsy with prepared statements.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic