db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-3676) Make the toString() method of Derby PreparedStatements print out SQL text with ? parameters replaced by the values that have been set so far
Date Wed, 24 Aug 2011 20:46:30 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13090468#comment-13090468
] 

Knut Anders Hatlen commented on DERBY-3676:
-------------------------------------------

Probably more likely than someone getting hold of an actual PreparedStatement instance on
which they can call toString(), is that existing (diagnostics) code is implicitly calling
toString() by printing PreparedStatements to a log. For example, we could have an application
that currently prints the following log:

Preparing statement "INSERT INTO PATIENTS(NAME, SSN) VALUES (?, ?)
prepareStatement() returned: org.apache.derby.client.net.NetPreparedStatement40@af43d1
....
executing org.apache.derby.client.net.NetPreparedStatement40@af43d1
executing org.apache.derby.client.net.NetPreparedStatement40@af43d1
executing org.apache.derby.client.net.NetPreparedStatement40@af43d1

After upgrading to a release that contains the proposed changes to toString(), it'll print
something like this instead:

Preparing statement "INSERT INTO PATIENTS(NAME, SSN) VALUES (?, ?)
prepareStatement() returned: INSERT INTO PATIENTS(NAME, SSN) VALUES (?, ?)
....
executing INSERT INTO PATIENTS(NAME, SSN) VALUES ('Kathey', 123)
executing INSERT INTO PATIENTS(NAME, SSN) VALUES ('Knut', 456)
executing INSERT INTO PATIENTS(NAME, SSN) VALUES ('Rick', 789)

And suddenly all our SSNs have inadvertently leaked to the plaintext log.

> Make the toString() method of Derby PreparedStatements print out SQL text with ? parameters
replaced by the values that have been set so far
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3676
>                 URL: https://issues.apache.org/jira/browse/DERBY-3676
>             Project: Derby
>          Issue Type: Improvement
>          Components: JDBC
>            Reporter: Rick Hillegas
>            Assignee: Siddharth Srivastava
>         Attachments: d3676.patch, humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt,
humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt,
ick.txt, ick.txt, prepared.diff, statementCacheVTI.sql
>
>
> This topic came up in the following email thread on the user list: http://www.nabble.com/PreparedStatement.toString%28%29---nice-formatting-td17250811.html#a17250811
Here's what the thread requests: 
> "In mysql, a toString() on a PreparedStatement will do this, eg "select x
> from foo where x.a = ?" will become "select x from foo where x.a = 1" with
> the appropriate setValue() call."
> At first blush, this seems like it might be a simple project for a newcomer.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message