Skip to content

Refactor SQL module to use PreparedStatement (#1611) #1612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Refactor SQL module to use PreparedStatement (#1611) #1612

wants to merge 3 commits into from
+77 −83

Conversation

@ferCancholaCruz
Copy link

@ferCancholaCruz ferCancholaCruz commented Jul 22, 2025

This PR refactors parts of the SQL module to use PreparedStatement instead of SQL string concatenation, in accordance with issue #1611.

✅ Refactored:

  • SQLSpout.java: replaced string-based query building with PreparedStatement
  • IndexerBolt.java: refactored dynamic insert with metadata into a clean, safe PreparedStatement

☑️ StatusUpdaterBolt.java already used PreparedStatement correctly and did not require changes.

The module compiles cleanly with mvn clean install -DskipTests and follows recommended SQL practices.

Closes #1611

@jnioche
Copy link
Contributor

jnioche commented Jul 22, 2025

Thanks for contributing @ferCancholaCruz

Can you please reinstate the license headers and comments that your PR removed?
Also please run the formatting with
mvn git-code-format:format-code -Dgcf.globPattern="**/*" -Dskip.format.code=false
prior to committing. Most of the changes in your PR have nothing to do with what you are trying to achieve but are changes to the formatting that is established for the project,

Thanks!

sigee
sigee reviewed Jul 23, 2025
View reviewed changes
external/sql/src/main/java/org/apache/stormcrawler/sql/IndexerBolt.java
Copy link
Member

@sigee sigee Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest, I do not really get why do you changed the single StringBuilder query to StringBuilder fieldsBuilder, StringBuilder placeholdersBuilder and StringBuilder updatesBuilder with the overcomplicated query building? One single for loop appends different parts to different StringBuilders. The original version was already a PreparedStatement. I can't see any additional value replacing it. Finally it is the same SQL query generated with more resource is used.
Am I missing something?

Copy link
Contributor

@rzo1 rzo1 Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original intention of the issue was to replace direct String concat with parameter replacements and pre-build queries. The SQL strings could be prepared on init and just looked up (might open the was for a more sophisticated solution using a connection pool).

Side note: One would need to sanitize table names, too, because they cannot be set as ? In a prepared statement, so might be good to add a simple check.

rzo1
rzo1 requested changes Jul 28, 2025
View reviewed changes
external/sql/src/main/java/org/apache/stormcrawler/sql/IndexerBolt.java
query.append(", ").append((String) o);
}
// Build SQL statement with prepared statement
StringBuilder fieldsBuilder = new StringBuilder(fieldNameForURL());
Copy link
Contributor

@rzo1 rzo1 Jul 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @sigee here. We shouldn't create a lot of StringBuilders here and instead use parameter replacement were needed. In addition, I would add a simple (regex) check for the table name to avoid anything unexpected.

@jnioche
Copy link
Contributor

jnioche commented Nov 25, 2025

@rzo1 @sigee closing as inactive?

@jnioche jnioche closed this Nov 28, 2025
@jnioche
Copy link
Contributor

jnioche commented Nov 28, 2025

closed as inactive, feel free to reopen @ferCancholaCruz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sigee sigee sigee left review comments

@rzo1 rzo1 rzo1 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Refactor SQL module to use prepared statements

4 participants

@ferCancholaCruz @jnioche @sigee @rzo1