How can I build a parametrized query without concatenation?

Question

I have seen some talend open studio tutorials and documentation speaking about SQL query building. In them, the advice was to build the query using concatenation like:

"Select id, name, phone from customers where id=" + (String)globalMap.get("_tcomponent_var")

to parametrize the query. I really dont like this way of building queries. I would like to know if there is a way to parametrize queries inside talend components like in ADO.NET or JDBC, when you put special variables inside the query string and you then add the values of this variables as parameters.

How can I achieve this using talend?

I'm afraid of security issues (sql injection) and I believe building string by concatenating is a bad practice.

Answer 1

Ok, I found the answer myself. There are components named txxxRow (tMysqlRow, tMSSqlRow, etc) that have and advanced configuration where you can set the preparedStatement.

It is sad that sqlxxxInput components doesn't have this option.

Answer 2

You'll want to use prepared statements and use ? placeholders for positional arguments. If you use JPA, you can use named parameters like :foo as well (which is similar to other languages' SQL implementations).

For example, suppose you have a java.sql.Connection object called conn. Then you create a prepared statement like:

PreparedStatement ps = conn.prepareStatement("select id, name, phone from customers where id = ?");
ps.setString(1, (String) globalMap.get("_tcomponent_var");
ResultSet rs = ps.executeQuery();

Answer 3

You need to read about PreparedStatement for parametrized queries.

for example:

PreparedStatement ps = con.prepareStatement("Select id, name, phone from customers where id = ?");
ps.setInt(globalMap.get("_tcomponent_var"));

Read more about PreparedStatement in java