1

I'm looking for a utility to prepare a SQL statement with named parameters and values, but not execute it. I just want the resulting SQL statement, with values substituted for named params, as a java.lang.String object. I did not find anything in Spring or Apache Commons. [I know how to enable debug logging for java.sql.*] Because I'm querying a db instance on a mainframe, prepared statements are not allowed; the support has been disabled, for some strange reason. That decision is beyond my control or influence. Do you know of a utility that can help me? I guess I could roll my own utility if I had to, but I'd rather not.

bwfrieds
  • 341
  • 3
  • 20

2 Answers2

0

First, you should know that one of the reasons for the prepared statement is security. The natural way of simply replacing placeholders with textual representation of parameters and then sending a simple string had been the cause of many SQL injection attacks. A classical example is 

SELECT * FROM tab WHERE tabid = ?

with a parameter of 1; DELETE FROM tab and textual replacement of parameters, you transform a simple query in a delete all statement. Of course real attacks could be much more clever than that ...

It is really strange that in a mainframe database, one recommends plain SQL statements over prepared statements. In my experiences, security reasons leaded to the opposite rule. You should really ask for the reason of that, and what is the recommended approach. It could be be the usage of a special library, or a framework or ... but if you can, do avoid textual replacement.

Edit:

If your are really stuck with textual replacement, you will have to roll your own utility. As explained above, I cannot imagine the a framework does that. In a real word application, it can be made reasonably sure if you can validate all the inputs to avoid any possibility of SQL injection (no special characters or only at know places). But if I were at your place, I would not try to mimic SQL prepared statements, and I would simply use String.format where the format string will be the SQL query with placeholders in Formatter syntax.

Serge Ballesta
  • 143,923
  • 11
  • 122
  • 252
  • Thank you for this answer. Requesting support for prepared statements is above my paygrade. It has been revisited many times by others. I'll just stick with regex. – bwfrieds Oct 21 '14 at 14:29
0

This is like saying you'd like to see your Java code with the user's input hardcoded into the source.

That would be ridiculous, because you know that the user's input is never combined with the Java source. It's combined (so to speak) with the compiled Java app at runtime. There is never a time when input data becomes merged into the source.

It's the same way with prepared SQL statements.

During prepare(), the RDBMS receives the textual SQL string, and parses it internally and retains a sort of "bytecode" version of the query. In this internal representation, the parameter placeholders are noted, and the query cannot execute before values are provided.

During execute(), the RDBMS receives parameter values, and combines them with the bytecode. The parameters never see the original SQL text! That's the way it is supposed to work.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • Thank you for this answer. Yeah, I'm aware of the security concerns but I have to play with the cards I'm dealt. – bwfrieds Oct 21 '14 at 14:31
  • What kind of a twisted deathwish project disables prepared statements!? It's as if they *want* to get hacked. Not blaming you, just shaking my head in disbelief. – Bill Karwin Oct 21 '14 at 15:52