The Definitive Guide to Data Quality
Solved! Go to Solution.
Can you please explain what is wrong with using a Prepared Statement in the input components?
Why not let the user decide whether to use a PreparedStatement or a simple statement. (This is how my tJDBCInput extension does it).
Has there been a discussion or vote on this? Who decided not to implement it?
I find it important because of several reasons:
1) a PS with bind variables is safer because it prevents SQL injection attacks
2) a PS with bind variables simplifies development of JDBC based "on premise" solutions, where the customer can choose the db vendor of their data warehouse. Consider an input query that selects records based on a start date. If bind variables are used the java Date parameter can be passed to the PS and the JDBC driver would take care of the formatting. If bind variables are not used, the ETL developer is responsible for doing the vendor specific adaptations, which results in ugly code & duplication.
Please reconsider issue http://www.talendforge.org/bugs/view.php?id=14120