FindBugs/PreparedStatement: read query from file
Hello everyone,
I'm new to this forum and hoping to find help for the following problem: I load a SQL query from a file and execute it as PreparedStatement, like this:
Code:
query = loadQueryFromFile();
ResultSet resultSet = null;
PreparedStatement preparedStatement = null;
try {
preparedStatement = connection.prepareStatement(query); // hier meckert FindBugs
// set parameters
resultSet = preparedStatement.executeQuery();
// process result set
} finally {
// clean up resultSet and preparedStatement
}
Now FindBugs (1.3.9) is complaining "A prepared statement is generated from a nonconstant String" (SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING). Is there any possibility to read a query from a file which does *not* lead to this (or any other) FindBugs warning?
Thanks in advance,
Michael
Re: FindBugs/PreparedStatement: read query from file
Findbugs can be tweaked to a considerable extent as to on what issues it warns about. Been a while since I actively used it, but if I recall correctly you could turn on and off even singular bug -patterns. Findbugs is a tool, warnings are suggestions for you to consider better practices. Heed them where you feel appropriate. Find bugs is a decent show, just tune it what suits your needs, if it really bugs you... dont use it.
Re: FindBugs/PreparedStatement: read query from file
More to the point why are you using a prepared statement which you are then throwing away. The point of using prepared statements is that they can be efficiently reused. If you just want to execute an sql statement once then get a Statement object (use myConnection.createStatement()) and then pass your sql string to its execute(..) method.
If you really need to suppress this warning I believe find bugs supports an annotation to suppress particular warnings on a method: I think it is something like the following but I've never used it so can't be certain it works:
Code:
@edu.umd.cs.findbugs.annotations.SuppressWarnings(value="NM_METHOD_NAMING_CONVENTION")
Where "NM_METHOD_NAMING_CONVENTION" is the name of the bug to suppress warnings for.
Re: FindBugs/PreparedStatement: read query from file
Is it solving your problem?
final String queryFunal = new String(loadQueryFromFile());
...................
preparedStatement = connection.prepareStatement(queryFinal);
I did not check it FindBugs, but may be it doesnot generate warning))
Re: FindBugs/PreparedStatement: read query from file
Quote:
Originally Posted by
michael6666
Now FindBugs (1.3.9) is complaining "A prepared statement is generated from a nonconstant String" (SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING). Is there any possibility to read a query from a file which does *not* lead to this (or any other) FindBugs warning?
Like has already been said, FindBugs is trying to compare your code to best practices. What it is trying to tell you here is that you are not using PreparedStatement how it is intended. The term itselt "Prepared" Statement indicates that the SQL has been pre written, hence "prepared". Prepared statement is intended to be a hard coded statement that has parameters that can be passed in (reuse, as said by another poster). Take this example:
Code:
String sql = "INSERT INTO FOO VALUES { ? , ? , ?}"
PreparedStatement ps = conn.prepareStatement(sql);
ps.setString(1,val1);
ps.setString(2,val2);
ps.setString(3,val3);
Now, you can use the power of the prepared statement to help prevent against SQL injection. The SQL statement is constant, but the parameters will change. This is how it is intended to be used.
Now, that being said, FindBugs is just a guide to help you perform best practices. If you feel comfortable, and are in control, of where the SQL statements are coming from, then by all means do it the same way you are currently. It is not a problem of performance, your code is not incorrect, it's just not best practice.
Re: FindBugs/PreparedStatement: read query from file
Quote:
Originally Posted by
keang
More to the point why are you using a prepared statement which you are then throwing away. The point of using prepared statements is that they can be efficiently reused. If you just want to execute an sql statement once then get a Statement object (use myConnection.createStatement()) and then pass your sql string to its execute(..) method.
If you really need to suppress this warning I believe find bugs supports an annotation to suppress particular warnings on a method: I think it is something like the following but I've never used it so can't be certain it works:
Code:
@edu.umd.cs.findbugs.annotations.SuppressWarnings(value="NM_METHOD_NAMING_CONVENTION")
Where "NM_METHOD_NAMING_CONVENTION" is the name of the bug to suppress warnings for.
Update:
This is the correct annotation detail to suppress warnings but you also need to place the annotations.jar and jsr305.jar files in the classpath whilst
compiling your program. The docs for this annotation state:
Quote:
edu.umd.cs.findbugs.annotations.SuppressWarnings
[Target] Type, Field, Method, Parameter, Constructor, Package
[Parameter]
value:The name of the warning. More than one name can be specified.
justification:Reason why the warning should be ignored. Default value:"".
The set of warnings that are to be suppressed by the compiler in the annotated element. Duplicate names are permitted. The second and successive occurrences of a name are ignored. The presence of unrecognized warning names is not an error: Compilers must ignore any warning names they do not recognize. They are, however, free to emit a warning if an annotation contains an unrecognized warning name. Compiler vendors should document the warning names they support in conjunction with this annotation type. They are encouraged to cooperate to ensure that the same names work across multiple compilers.
