try-with-resources and jdbc without sql injection

As I was on Oracle’s JDBC tutorial page, I noticed it was using a Statement rather than a PreparedStatement. I grumbled to myself about how this is teaching people to develop using SQL Injection and decided to Google for an example so I could tweet about it.

I was looking for an example of using try-with-resources automatic resource management using PreparedStatements. I searched on google for “try with resources jdbc”. This didn’t go well. I found a lot more of the same example including one from Martjin and Ben whom I respect. It is even that anyone’s example is bad. It is just oversimplified and implies that using createStatement is more common than using prepareStatement.

I then searched for “try with resources preparedstatement” to be more specific about it and found:

  • Informit does use a PreparedStatement but one without any binding variables.  Which means as an example, it isn’t much better.
  • JavaCodeGeeks does the same.
  • Someone on StackOverflow asked how best to do it and got an answer involving a nested try.  Which does work, but the nested try seem less readable than it needs to be.

I propose:


public List<String> query(Connection conn) throws SQLException {

List<String> list = new ArrayList<String>();

try (PreparedStatement stmt = createPreparedStatement(conn);  ResultSet rs = stmt.executeQuery()) {

while (rs.next()) {

list.add(rs.getString("name"));

}

}

return list;

}

private PreparedStatement createPreparedStatement(Connection conn) throws SQLException {

PreparedStatement ps = conn.prepareStatement(SQL);

ps.setString(1,  "test");

return ps;

}

The StackOverflow post proposes:

public List<String> query(Connection conn) throws SQLException {

List<String> list = new ArrayList<String>();

try (PreparedStatement stmt = conn.prepareStatement(SQL)) {

stmt.setString(1, "test");

try (ResultSet rs = stmt.executeQuery()) {

while (rs.next()) {

list.add(rs.getString("name"));

}

}

}

return list;

}

The StackOverflow answer is shorter.  I think the reason I like mine better is that is is easier to template out so the JDBC plumbing is only in a superclass.  Leaving us with

public List<String> query(Connection conn) throws SQLException {

List<String> list = new ArrayList<String>();

try (PreparedStatement stmt = createPreparedStatement(conn); ResultSet rs = stmt.executeQuery()) {

return processResultSet(rs);

}

return list;

}

The subclass then has two methods to implement:

  1. PreparedStatement createPreparedStatement(Connection conn)
  2. T processResultSet(ResultSet rs)  [templated to return type of subclass’ choosing]

Which approach do you like better?

java 7 does not work with eclipse 3.6 or open office

In preparation for downloading Eclipse 4.2 (Juno), I downloaded Java 7 for the Mac.  It was quite an experience.

TL/DR: Don’t use Java 7 with Eclipse 3.6 or Open Office 3.  Alternatives below.

Installed Java 7 for the Mac

Up to now, I’ve been doing all my Java 7 learning/testing/etc in a Linux JVM.  Now that Juno is out, it seemed high time to add it to my path.

  1. Download the dmg from jdk7.java.net or Oracle’s main site. (both are now Oracle versions.  The former is a slightly later version since it is a release preview.  Oddly enough installing the Oracle one uninstalled the newer preview version of the jdk7 one.
  2. Click on dmg.  Double click to get Java wizard
  3. Open finder.  In the go menu choose utilities
  4. Choose java preferences and uncheck Java 1.6 or previous versions of 1.7 you have downloaded.
  5. Now “java -version” at the command line is Java 7.

Dr Dobbs describes this well with screenshots although they do assume you know how to open the java preferences.

Eclipse problem

Error: “failed to create the Java virtual machine”

However, when I tried to launch Eclipse 3.6, I got “failed to create the Java virtual machine.”

The first thing I did was check my path still contained the JDK:

javac -version
javac 1.7.0_05

I then tried the Eclipse alias that runs at a command line which got more of an error message:

/Applications/eclipse/Eclipse.app/Contents/MacOS/eclipse ; exit;
JavaVM: requested Java version ((null)) not available. Using Java at "" instead.
JavaVM: Failed to load JVM: /bundle/Libraries/libserver.dylib
JavaVM FATAL: Failed to load the jvm library.
logout

This problem is discussed in a stackoverflow thread. Juno does fix this problem.

Summary: Stay on Java 6 with Eclipse 3.7 (Indigo) and go to Java 7 with Eclipse 4.2 (Juno).

 Open Office problem
Error: OpenOffice.org requires a Java runtime environment (JRE) to perform this task. The selected JRE is defective. Please select another version or install a new JRE and select it under Tools – Options – OpenOffice.org – Java.
Oh fun.  OpenOffice doesn’t yet play well with Java 7.  I wound up switching my system JRE back to 6 and my default Eclipse JRE to Java 7.  This makes everyone happy.

java 7 from the nyjavasig

Google java 7 a bug’s life – for approach to bug

Java 7 has come a long way since the Java road show 14 months ago when I blogged about what may or may not be in Java 7. And not always forwards. Oracle sent Donald Smith (director of project management with some coding knowledge) to the NY Java Sig.  In this blog entry, we’ll look at what features made it in, the strategy discussion from Oracle and then some details.

How does Java 7 shape up compared to the road show?

Before we get to what actually happened at the sig, let’s see how Java 7 shaped up compared to the road show.

Category Feature How to Use or Status
Modularity Project Jigsaw Java 8 – modularize the JDK to address the “Java is too big” problem.  Will not replace OSGi.
Multi-lingual Support DaVinci Machine Includes invokedynamic and more. See docs
invokeDynamic Implemented in virtual machine/bytecode to make dynamic languages faster. Invokevirtual was closest but slow because doing extra type checking. Builds CallSite so only does that extra work once and improves performance of subsequent calls. JRuby noted 20% perfromance increase.
Small languages changes (Project Coin) Diamond Operator List>Map<String, Integer> list = new ArrayList<>();
Integer Literals int num = 1_234_567;
Try Catch With Resources try (InputStream s = …) {  … }
Collection literals (like associative array) Didn’t go anywhere. Haven’t seen talked about for Java 8 either.
Other While other (undetermined) features weren’t publicized last year, they will be part of Java 8.
Performance Fork Join New APIs in Java 7.  See end of post for details.
ParallelIntArray Not in Java 7. Didn’t go anywhere.
Closures Closures/Lambda Expressions Deferred to Java 8.  Will include support for multi-core.

High Level/Strategy

Donald didn’t sound like a typical Oracle speaker. He was funny, easy to relate to and started out by talking about his biases/background It felt more personal than corporate. Usualy when Oracle prents something it sounds like legal reviewed it and stripped out a lot. The slide deck did have the standard nine line Oracle disclaimer. He did note that IBM’s Sarbanes Oxley disclaimer is twice as long as Oracle’s. People asked tough questions and he answered honestly when not knowing the answer.

Interesting things from Strategy and Q&A

  1. Timelines
    • Java 6 came out in 2006.  The four years to Java 7 was the longest time between releases anywhere.
    • Java 7 update 1 is due out in early September and will contain the major bug fixes.
    • Java 7 update 2 is due out in October and will contain garbage collection enhancements.
    • Java 8 is targeting 2012.  The speaker thinks 18 months is too soon for Java 8 because the industry is no longer used to a 2 year release cycle anymore, let alone more frequent..  He thinks we need time for the tooling to catch up.
  2. Java heath (just Java; doesn’t include JVM languages)
  3. Official terms for past are “legacy sun employee” or “legacy bea employee”.
  4. HotSpot vs JRockit
    • Survey says 70% use Sun JDK and only 5% use JRockit.
    • Oracle decided to officially kill the JRockit JVM and just use the JRockit tooling. (Mission Control, Flight Recorder and RT)
    • Over time, the two will merge with the JRockit tools being premium features.
    • Oracle emphasized performance will also be free and part of the main JDK.
    • Googlefight between the two shows Hotspot as the clear winner.
  5. JavaOne – Oracle is holding back announcements for JavaOne.  Expect some on
    • Java 7 Certifications
    • Something about the Mac.  Maybe with respect to Java 8.  (Oracle claims the delay in Java 7 on the Mac is to “make things right” with the Apple UI.)
    • Recognition that Oracle needs to clean up their name in community by announcing things at JavaOne and doing them without surprises.
  6. Open jdk is slowly becoming more open. For example, Oracle recognizes the need to open bugs to public before Oracle sees/runs triage. Looking at using jira for this.
  7. Java 7 theme is “moving Java forward.”  In other words, just get something out without waiting for all the features.

More on Java 7

The emphasis was the need to be careful about protecting the platform, the amount of work in the smallest of changes and the desire to not change the type system.  Changes fall into three categories:

  1. Language changes
    • All project coin changes noted in table up top
    • + Allowing Strings in the switch statement
    • + @SafeVarargs allowing the method itself to declare safety so all callers don’t have to suppress warnings.
    • + AutoClosable interface for I/O and JDBC 4.1 resources.  Using these within the try with resources syntax in the table above means they will get automatically closed.  It also means exceptions thrown in that auto generated finally will be suppressed but still available in the stack trace.
    • + Catching multiple unrelated exceptions catch(ExceptionType1 | ExceptionType2 e)
  2. Library changes
    • NIO – Better exceptions, more extensible to different file systems, rename behavior more consistent , more access to metadata
      • Path is the replacement for File. It understands symbolic links cross platform consistently and provides many methods.
      • Lots of methods to create/navigate/transform paths
      • Can call path.toFile() to get file from path to call old apis
      • Paths helper class to get path
      • Files helper class to copy files with lots of options such as copy with attributes or replacing exisiting attributes.  Also supports atomic move.
    • Concurrency (Fork/Join)
      • Phaser class which is similar to the cyclic barrier and countdown latch but has better synchronization and deadlock protection.  Can also add and remove threads on fly.
      • TransferQueue interface which is implmented by LinkedTransferQueue – the producer or consumer can block while waiting so dont get too far ahead
      • The key class to implement your logic in should implement RecursiveTask.  It is like RecursiveAction except that it returns a result.  All you have to do is implement the compute() method.
      • The ForkJoinPool is the executor so you can submit your task to have it run.  Methods are provided to see if it is done and get the result.  By default it uses the # available processors or you can specify explicitly.
  3. Runtime changes
    • See table up top for changes.
    • Oracle listed all the languages that can run on a JVM.  They noted that some are research projects by students and not “real” or “ready.”  I laughed because C# was on the list.  Why would you want to run C# on a JRE?
  4. Other
    • Swing nimbus look and feel is completed.  Metal is still the default.
    • Eliptic curve cryptography
    • Deadlock avoidance in classloader
    • Close method for UrlClassloader
    • Javadoc now has support for CSS.  Which means the JavaDoc now has “nice looking annoying frames”