Don't concatenate strings with jOOQ

jOOQ supports a large number of SQL syntaxes out of the box.Therefore, most users do not use string concatenation as before when writing dynamic SQL using JDBC.But every now and then, jOOQ doesn't support a certain vendor's specific feature (yes, it happens).In this case, jOOQ supports various "Plain SQL" API, which can be used to construct almost all types of jOOQ API elements, eg.

// Static import is implied, as alwaysimport static org.jooq.impl.DSL.*;// Column expressionsField f = field("cool_function(1, 2, 3)", String.class);// PredicatesCondition c = condition("col1  col2");// TablesTable t = table("wicked_table_valued_function(x, y)");Copy code

However, sometimes, you need to dynamically pass an argument to such a function, such as an expression for another column.And you want to do it in a type-safe way, because the jOOQ code generator already produces type-safe column expressions.So you might be inclined towards concatenation, though.

field("cool_function(1, " + MY_TABLE.MY_COLUMN + ", 3)");Copy code

**Don't do this!**For these reasons.

1. Although jOOQ is very safe for SQL injection in general, you can actually introduce a common SQL injection vulnerability here.Not in this case because the column is generated code, but maybe, you'll concatenate the user's input.Note that for added SQL injection protection, it can be done by adding our PlainSQL Checker,Use a checker framework or Google ErrorProne to prevent the use of plain SQL globally and only allow local use when needed.
2. As usual with string concatenation, you are prone to SQL syntax errors.In this case, the generated SQL does not target any dialect, because MY_TABLE.MY_COLUMN.toString() , does not have any contextual information like SQLDialect and all other configuration flags.

Instead, use jOOQ's Plain SQL Template small language, which allows template placeholders like {0}, {1}, {2}.

field("cool_function(1, {0}, 3)", MY_TABLE.MY_COLUMN);Copy code

If you do this often, you can consider this call in your own mini-DSL.

public static Field coolFunction(Field field) {field("cool_function(1, {0}, 3)", field);}Copy code

And now, call it like this.

coolFunction(MY_TABLE.MY_COLUMN)Copy code

As a rule of thumb: With jOOQ, you should never need to resort to SQL string concatenation, you can always use the following two methods.

• Type-safe jOOQ DSL API
• The normal SQL template API (preferably hiding this usage behind your own type-safe DSL API).