CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 6 of 6

Thread: FindBugs/PreparedStatement: read query from file

  1. #1
    Join Date
    Apr 2010
    Posts
    1

    FindBugs/PreparedStatement: read query from file

    Hello everyone,

    I'm new to this forum and hoping to find help for the following problem: I load a SQL query from a file and execute it as PreparedStatement, like this:

    Code:
    query = loadQueryFromFile();
     
    ResultSet resultSet = null;
    PreparedStatement preparedStatement = null;
     
    try {
        preparedStatement = connection.prepareStatement(query);    // hier meckert FindBugs
        // set parameters
        
        resultSet = preparedStatement.executeQuery();
     
        // process result set
        
    } finally {
        // clean up resultSet and preparedStatement
    }
    Now FindBugs (1.3.9) is complaining "A prepared statement is generated from a nonconstant String" (SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING). Is there any possibility to read a query from a file which does *not* lead to this (or any other) FindBugs warning?

    Thanks in advance,
    Michael

  2. #2
    Join Date
    Apr 2007
    Posts
    442

    Re: FindBugs/PreparedStatement: read query from file

    Findbugs can be tweaked to a considerable extent as to on what issues it warns about. Been a while since I actively used it, but if I recall correctly you could turn on and off even singular bug -patterns. Findbugs is a tool, warnings are suggestions for you to consider better practices. Heed them where you feel appropriate. Find bugs is a decent show, just tune it what suits your needs, if it really bugs you... dont use it.
    Last edited by Londbrok; April 16th, 2010 at 02:53 AM.

  3. #3
    Join Date
    May 2006
    Location
    UK
    Posts
    4,473

    Re: FindBugs/PreparedStatement: read query from file

    More to the point why are you using a prepared statement which you are then throwing away. The point of using prepared statements is that they can be efficiently reused. If you just want to execute an sql statement once then get a Statement object (use myConnection.createStatement()) and then pass your sql string to its execute(..) method.

    If you really need to suppress this warning I believe find bugs supports an annotation to suppress particular warnings on a method: I think it is something like the following but I've never used it so can't be certain it works:
    Code:
    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value="NM_METHOD_NAMING_CONVENTION")
    Where "NM_METHOD_NAMING_CONVENTION" is the name of the bug to suppress warnings for.
    Posting code? Use code tags like this: [code]...Your code here...[/code]
    Click here for examples of Java Code

  4. #4
    Join Date
    Mar 2010
    Posts
    74

    Re: FindBugs/PreparedStatement: read query from file

    Is it solving your problem?

    final String queryFunal = new String(loadQueryFromFile());

    ...................
    preparedStatement = connection.prepareStatement(queryFinal);

    I did not check it FindBugs, but may be it doesnot generate warning))

  5. #5
    Join Date
    Feb 2008
    Posts
    966

    Re: FindBugs/PreparedStatement: read query from file

    Quote Originally Posted by michael6666 View Post
    Now FindBugs (1.3.9) is complaining "A prepared statement is generated from a nonconstant String" (SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING). Is there any possibility to read a query from a file which does *not* lead to this (or any other) FindBugs warning?
    Like has already been said, FindBugs is trying to compare your code to best practices. What it is trying to tell you here is that you are not using PreparedStatement how it is intended. The term itselt "Prepared" Statement indicates that the SQL has been pre written, hence "prepared". Prepared statement is intended to be a hard coded statement that has parameters that can be passed in (reuse, as said by another poster). Take this example:

    Code:
    String sql = "INSERT INTO FOO VALUES { ? , ? , ?}"
    PreparedStatement ps = conn.prepareStatement(sql);
    ps.setString(1,val1);
    ps.setString(2,val2);
    ps.setString(3,val3);
    Now, you can use the power of the prepared statement to help prevent against SQL injection. The SQL statement is constant, but the parameters will change. This is how it is intended to be used.

    Now, that being said, FindBugs is just a guide to help you perform best practices. If you feel comfortable, and are in control, of where the SQL statements are coming from, then by all means do it the same way you are currently. It is not a problem of performance, your code is not incorrect, it's just not best practice.

  6. #6
    Join Date
    May 2006
    Location
    UK
    Posts
    4,473

    Re: FindBugs/PreparedStatement: read query from file

    Quote Originally Posted by keang View Post
    More to the point why are you using a prepared statement which you are then throwing away. The point of using prepared statements is that they can be efficiently reused. If you just want to execute an sql statement once then get a Statement object (use myConnection.createStatement()) and then pass your sql string to its execute(..) method.

    If you really need to suppress this warning I believe find bugs supports an annotation to suppress particular warnings on a method: I think it is something like the following but I've never used it so can't be certain it works:
    Code:
    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value="NM_METHOD_NAMING_CONVENTION")
    Where "NM_METHOD_NAMING_CONVENTION" is the name of the bug to suppress warnings for.
    Update:
    This is the correct annotation detail to suppress warnings but you also need to place the annotations.jar and jsr305.jar files in the classpath whilst
    compiling your program. The docs for this annotation state:
    edu.umd.cs.findbugs.annotations.SuppressWarnings
    [Target] Type, Field, Method, Parameter, Constructor, Package
    [Parameter]

    value:The name of the warning. More than one name can be specified.

    justification:Reason why the warning should be ignored. Default value:"".

    The set of warnings that are to be suppressed by the compiler in the annotated element. Duplicate names are permitted. The second and successive occurrences of a name are ignored. The presence of unrecognized warning names is not an error: Compilers must ignore any warning names they do not recognize. They are, however, free to emit a warning if an annotation contains an unrecognized warning name. Compiler vendors should document the warning names they support in conjunction with this annotation type. They are encouraged to cooperate to ensure that the same names work across multiple compilers.
    Posting code? Use code tags like this: [code]...Your code here...[/code]
    Click here for examples of Java Code

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width




On-Demand Webinars (sponsored)