[Info-vax] Better languages than BASIC
Arne Vajhøj
arne at vajhoej.dk
Mon Jan 15 13:13:00 EST 2024
On 1/15/2024 8:21 AM, Simon Clubley wrote:
> On 2024-01-12, Lawrence D'Oliveiro <ldo at nz.invalid> wrote:
>> On Fri, 12 Jan 2024 13:34:53 -0000 (UTC), Simon Clubley wrote:
>>
>>> For security reasons, I would have preferred to see that as a prepared
>>> statement instead of as a concatenated SQL statement.
>>
>> Feel free to show us how you would write it as same. Can your prepared-
>> statement system cope with variable numbers of fields? Variable field
>> names? Variable operator selections? All these were present in the
>> example.
>
> I have _never_ had the need to do that. In the real world, you know what
> data you want to read or update, and with what selection criteria, at the
> point you write such code.
Typical criteria are static.
But if if one need dynamic criteria then there are also ways.
The COALESCE trick is quite common.
But as a fallback then it is still possible to build a
SQL string with placeholder markers dynamically, prepare
that and specify parameters.
The extendable string template mechanism added
to Java in version 21 (preview) can be used pretty
nifty.
Code snippet:
private static void test(Connection con, String f2) throws
SQLException {
PreparedStatementFormatter pstmtfmt = new
PreparedStatementFormatter(con);
try(PreparedStatement pstmt = pstmtfmt."SELECT COUNT(*) FROM t1
WHERE f2 = \{f2}") {
try(ResultSet rs = pstmt.executeQuery()) {
rs.next();
System.out.println(rs.getInt(1));
}
}
}
Arne
More information about the Info-vax
mailing list