[jira] [Commented] (DERBY-3676) Make the toString() method of Derby PreparedStatements print out SQL text with ? parameters replaced by the values that have been set so far

[Knut Anders Hatlen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DERBY-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13090468#comment-13090468
 ] 

Knut Anders Hatlen commented on DERBY-3676:
-------------------------------------------

Probably more likely than someone getting hold of an actual PreparedStatement 
instance on which they can call toString(), is that existing (diagnostics) code 
is implicitly calling toString() by printing PreparedStatements to a log. For 
example, we could have an application that currently prints the following log:

Preparing statement "INSERT INTO PATIENTS(NAME, SSN) VALUES (?, ?)
prepareStatement() returned: 
org.apache.derby.client.net.NetPreparedStatement40@af43d1
....
executing org.apache.derby.client.net.NetPreparedStatement40@af43d1
executing org.apache.derby.client.net.NetPreparedStatement40@af43d1
executing org.apache.derby.client.net.NetPreparedStatement40@af43d1

After upgrading to a release that contains the proposed changes to toString(), 
it'll print something like this instead:

Preparing statement "INSERT INTO PATIENTS(NAME, SSN) VALUES (?, ?)
prepareStatement() returned: INSERT INTO PATIENTS(NAME, SSN) VALUES (?, ?)
....
executing INSERT INTO PATIENTS(NAME, SSN) VALUES ('Kathey', 123)
executing INSERT INTO PATIENTS(NAME, SSN) VALUES ('Knut', 456)
executing INSERT INTO PATIENTS(NAME, SSN) VALUES ('Rick', 789)

And suddenly all our SSNs have inadvertently leaked to the plaintext log.

> Make the toString() method of Derby PreparedStatements print out SQL text 
> with ? parameters replaced by the values that have been set so far
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3676
>                 URL: https://issues.apache.org/jira/browse/DERBY-3676
>             Project: Derby
>          Issue Type: Improvement
>          Components: JDBC
>            Reporter: Rick Hillegas
>            Assignee: Siddharth Srivastava
>         Attachments: d3676.patch, humanstringprepared.txt, 
> humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt, 
> humanstringprepared.txt, humanstringprepared.txt, humanstringprepared.txt, 
> ick.txt, ick.txt, prepared.diff, statementCacheVTI.sql
>
>
> This topic came up in the following email thread on the user list: 
> http://www.nabble.com/PreparedStatement.toString%28%29---nice-formatting-td17250811.html#a17250811
>  Here's what the thread requests: 
> "In mysql, a toString() on a PreparedStatement will do this, eg "select x
> from foo where x.a = ?" will become "select x from foo where x.a = 1" with
> the appropriate setValue() call."
> At first blush, this seems like it might be a simple project for a newcomer.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira